@clef-sh/cli 0.1.6-beta.32 → 0.1.7-beta.45

package/dist/index.mjs

@@ -976,8 +976,8 @@ var require_command = __commonJS({
   "../../node_modules/commander/lib/command.js"(exports) {
     var EventEmitter = __require("node:events").EventEmitter;
     var childProcess = __require("node:child_process");
-    var path43 = __require("node:path");
-    var fs26 = __require("node:fs");
+    var path44 = __require("node:path");
+    var fs27 = __require("node:fs");
     var process2 = __require("node:process");
     var { Argument: Argument2, humanReadableArgName } = require_argument();
     var { CommanderError: CommanderError2 } = require_error();
@@ -1909,11 +1909,11 @@ Expecting one of '${allowedValues.join("', '")}'`);
         let launchWithNode = false;
         const sourceExt = [".js", ".ts", ".tsx", ".mjs", ".cjs"];
         function findFile(baseDir, baseName) {
-          const localBin = path43.resolve(baseDir, baseName);
-          if (fs26.existsSync(localBin)) return localBin;
-          if (sourceExt.includes(path43.extname(baseName))) return void 0;
+          const localBin = path44.resolve(baseDir, baseName);
+          if (fs27.existsSync(localBin)) return localBin;
+          if (sourceExt.includes(path44.extname(baseName))) return void 0;
           const foundExt = sourceExt.find(
-            (ext) => fs26.existsSync(`${localBin}${ext}`)
+            (ext) => fs27.existsSync(`${localBin}${ext}`)
           );
           if (foundExt) return `${localBin}${foundExt}`;
           return void 0;
@@ -1925,21 +1925,21 @@ Expecting one of '${allowedValues.join("', '")}'`);
         if (this._scriptPath) {
           let resolvedScriptPath;
           try {
-            resolvedScriptPath = fs26.realpathSync(this._scriptPath);
+            resolvedScriptPath = fs27.realpathSync(this._scriptPath);
           } catch (err) {
             resolvedScriptPath = this._scriptPath;
           }
-          executableDir = path43.resolve(
-            path43.dirname(resolvedScriptPath),
+          executableDir = path44.resolve(
+            path44.dirname(resolvedScriptPath),
             executableDir
           );
         }
         if (executableDir) {
           let localFile = findFile(executableDir, executableFile);
           if (!localFile && !subcommand._executableFile && this._scriptPath) {
-            const legacyName = path43.basename(
+            const legacyName = path44.basename(
               this._scriptPath,
-              path43.extname(this._scriptPath)
+              path44.extname(this._scriptPath)
             );
             if (legacyName !== this._name) {
               localFile = findFile(
@@ -1950,7 +1950,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
           }
           executableFile = localFile || executableFile;
         }
-        launchWithNode = sourceExt.includes(path43.extname(executableFile));
+        launchWithNode = sourceExt.includes(path44.extname(executableFile));
         let proc;
         if (process2.platform !== "win32") {
           if (launchWithNode) {
@@ -2790,7 +2790,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
        * @return {Command}
        */
       nameFromFilename(filename) {
-        this._name = path43.basename(filename, path43.extname(filename));
+        this._name = path44.basename(filename, path44.extname(filename));
         return this;
       }
       /**
@@ -2804,9 +2804,9 @@ Expecting one of '${allowedValues.join("', '")}'`);
        * @param {string} [path]
        * @return {(string|null|Command)}
        */
-      executableDir(path44) {
-        if (path44 === void 0) return this._executableDir;
-        this._executableDir = path44;
+      executableDir(path45) {
+        if (path45 === void 0) return this._executableDir;
+        this._executableDir = path45;
         return this;
       }
       /**
@@ -3113,17 +3113,17 @@ var require_visit = __commonJS({
     visit.BREAK = BREAK;
     visit.SKIP = SKIP;
     visit.REMOVE = REMOVE;
-    function visit_(key, node, visitor, path43) {
-      const ctrl = callVisitor(key, node, visitor, path43);
+    function visit_(key, node, visitor, path44) {
+      const ctrl = callVisitor(key, node, visitor, path44);
       if (identity.isNode(ctrl) || identity.isPair(ctrl)) {
-        replaceNode(key, path43, ctrl);
-        return visit_(key, ctrl, visitor, path43);
+        replaceNode(key, path44, ctrl);
+        return visit_(key, ctrl, visitor, path44);
       }
       if (typeof ctrl !== "symbol") {
         if (identity.isCollection(node)) {
-          path43 = Object.freeze(path43.concat(node));
+          path44 = Object.freeze(path44.concat(node));
           for (let i = 0; i < node.items.length; ++i) {
-            const ci = visit_(i, node.items[i], visitor, path43);
+            const ci = visit_(i, node.items[i], visitor, path44);
             if (typeof ci === "number")
               i = ci - 1;
             else if (ci === BREAK)
@@ -3134,13 +3134,13 @@ var require_visit = __commonJS({
             }
           }
         } else if (identity.isPair(node)) {
-          path43 = Object.freeze(path43.concat(node));
-          const ck = visit_("key", node.key, visitor, path43);
+          path44 = Object.freeze(path44.concat(node));
+          const ck = visit_("key", node.key, visitor, path44);
           if (ck === BREAK)
             return BREAK;
           else if (ck === REMOVE)
             node.key = null;
-          const cv = visit_("value", node.value, visitor, path43);
+          const cv = visit_("value", node.value, visitor, path44);
           if (cv === BREAK)
             return BREAK;
           else if (cv === REMOVE)
@@ -3161,17 +3161,17 @@ var require_visit = __commonJS({
     visitAsync.BREAK = BREAK;
     visitAsync.SKIP = SKIP;
     visitAsync.REMOVE = REMOVE;
-    async function visitAsync_(key, node, visitor, path43) {
-      const ctrl = await callVisitor(key, node, visitor, path43);
+    async function visitAsync_(key, node, visitor, path44) {
+      const ctrl = await callVisitor(key, node, visitor, path44);
       if (identity.isNode(ctrl) || identity.isPair(ctrl)) {
-        replaceNode(key, path43, ctrl);
-        return visitAsync_(key, ctrl, visitor, path43);
+        replaceNode(key, path44, ctrl);
+        return visitAsync_(key, ctrl, visitor, path44);
       }
       if (typeof ctrl !== "symbol") {
         if (identity.isCollection(node)) {
-          path43 = Object.freeze(path43.concat(node));
+          path44 = Object.freeze(path44.concat(node));
           for (let i = 0; i < node.items.length; ++i) {
-            const ci = await visitAsync_(i, node.items[i], visitor, path43);
+            const ci = await visitAsync_(i, node.items[i], visitor, path44);
             if (typeof ci === "number")
               i = ci - 1;
             else if (ci === BREAK)
@@ -3182,13 +3182,13 @@ var require_visit = __commonJS({
             }
           }
         } else if (identity.isPair(node)) {
-          path43 = Object.freeze(path43.concat(node));
-          const ck = await visitAsync_("key", node.key, visitor, path43);
+          path44 = Object.freeze(path44.concat(node));
+          const ck = await visitAsync_("key", node.key, visitor, path44);
           if (ck === BREAK)
             return BREAK;
           else if (ck === REMOVE)
             node.key = null;
-          const cv = await visitAsync_("value", node.value, visitor, path43);
+          const cv = await visitAsync_("value", node.value, visitor, path44);
           if (cv === BREAK)
             return BREAK;
           else if (cv === REMOVE)
@@ -3215,23 +3215,23 @@ var require_visit = __commonJS({
       }
       return visitor;
     }
-    function callVisitor(key, node, visitor, path43) {
+    function callVisitor(key, node, visitor, path44) {
       if (typeof visitor === "function")
-        return visitor(key, node, path43);
+        return visitor(key, node, path44);
       if (identity.isMap(node))
-        return visitor.Map?.(key, node, path43);
+        return visitor.Map?.(key, node, path44);
       if (identity.isSeq(node))
-        return visitor.Seq?.(key, node, path43);
+        return visitor.Seq?.(key, node, path44);
       if (identity.isPair(node))
-        return visitor.Pair?.(key, node, path43);
+        return visitor.Pair?.(key, node, path44);
       if (identity.isScalar(node))
-        return visitor.Scalar?.(key, node, path43);
+        return visitor.Scalar?.(key, node, path44);
       if (identity.isAlias(node))
-        return visitor.Alias?.(key, node, path43);
+        return visitor.Alias?.(key, node, path44);
       return void 0;
     }
-    function replaceNode(key, path43, node) {
-      const parent = path43[path43.length - 1];
+    function replaceNode(key, path44, node) {
+      const parent = path44[path44.length - 1];
       if (identity.isCollection(parent)) {
         parent.items[key] = node;
       } else if (identity.isPair(parent)) {
@@ -3839,10 +3839,10 @@ var require_Collection = __commonJS({
     var createNode = require_createNode();
     var identity = require_identity();
     var Node = require_Node();
-    function collectionFromPath(schema, path43, value) {
+    function collectionFromPath(schema, path44, value) {
       let v = value;
-      for (let i = path43.length - 1; i >= 0; --i) {
-        const k = path43[i];
+      for (let i = path44.length - 1; i >= 0; --i) {
+        const k = path44[i];
         if (typeof k === "number" && Number.isInteger(k) && k >= 0) {
           const a = [];
           a[k] = v;
@@ -3861,7 +3861,7 @@ var require_Collection = __commonJS({
         sourceObjects: /* @__PURE__ */ new Map()
       });
     }
-    var isEmptyPath = (path43) => path43 == null || typeof path43 === "object" && !!path43[Symbol.iterator]().next().done;
+    var isEmptyPath = (path44) => path44 == null || typeof path44 === "object" && !!path44[Symbol.iterator]().next().done;
     var Collection = class extends Node.NodeBase {
       constructor(type, schema) {
         super(type);
@@ -3891,11 +3891,11 @@ var require_Collection = __commonJS({
        * be a Pair instance or a `{ key, value }` object, which may not have a key
        * that already exists in the map.
        */
-      addIn(path43, value) {
-        if (isEmptyPath(path43))
+      addIn(path44, value) {
+        if (isEmptyPath(path44))
           this.add(value);
         else {
-          const [key, ...rest] = path43;
+          const [key, ...rest] = path44;
           const node = this.get(key, true);
           if (identity.isCollection(node))
             node.addIn(rest, value);
@@ -3909,8 +3909,8 @@ var require_Collection = __commonJS({
        * Removes a value from the collection.
        * @returns `true` if the item was found and removed.
        */
-      deleteIn(path43) {
-        const [key, ...rest] = path43;
+      deleteIn(path44) {
+        const [key, ...rest] = path44;
         if (rest.length === 0)
           return this.delete(key);
         const node = this.get(key, true);
@@ -3924,8 +3924,8 @@ var require_Collection = __commonJS({
        * scalar values from their surrounding node; to disable set `keepScalar` to
        * `true` (collections are always returned intact).
        */
-      getIn(path43, keepScalar) {
-        const [key, ...rest] = path43;
+      getIn(path44, keepScalar) {
+        const [key, ...rest] = path44;
         const node = this.get(key, true);
         if (rest.length === 0)
           return !keepScalar && identity.isScalar(node) ? node.value : node;
@@ -3943,8 +3943,8 @@ var require_Collection = __commonJS({
       /**
        * Checks if the collection includes a value with the key `key`.
        */
-      hasIn(path43) {
-        const [key, ...rest] = path43;
+      hasIn(path44) {
+        const [key, ...rest] = path44;
         if (rest.length === 0)
           return this.has(key);
         const node = this.get(key, true);
@@ -3954,8 +3954,8 @@ var require_Collection = __commonJS({
        * Sets a value in this collection. For `!!set`, `value` needs to be a
        * boolean to add/remove the item from the set.
        */
-      setIn(path43, value) {
-        const [key, ...rest] = path43;
+      setIn(path44, value) {
+        const [key, ...rest] = path44;
         if (rest.length === 0) {
           this.set(key, value);
         } else {
@@ -6459,9 +6459,9 @@ var require_Document = __commonJS({
           this.contents.add(value);
       }
       /** Adds a value to the document. */
-      addIn(path43, value) {
+      addIn(path44, value) {
         if (assertCollection(this.contents))
-          this.contents.addIn(path43, value);
+          this.contents.addIn(path44, value);
       }
       /**
        * Create a new `Alias` node, ensuring that the target `node` has the required anchor.
@@ -6536,14 +6536,14 @@ var require_Document = __commonJS({
        * Removes a value from the document.
        * @returns `true` if the item was found and removed.
        */
-      deleteIn(path43) {
-        if (Collection.isEmptyPath(path43)) {
+      deleteIn(path44) {
+        if (Collection.isEmptyPath(path44)) {
           if (this.contents == null)
             return false;
           this.contents = null;
           return true;
         }
-        return assertCollection(this.contents) ? this.contents.deleteIn(path43) : false;
+        return assertCollection(this.contents) ? this.contents.deleteIn(path44) : false;
       }
       /**
        * Returns item at `key`, or `undefined` if not found. By default unwraps
@@ -6558,10 +6558,10 @@ var require_Document = __commonJS({
        * scalar values from their surrounding node; to disable set `keepScalar` to
        * `true` (collections are always returned intact).
        */
-      getIn(path43, keepScalar) {
-        if (Collection.isEmptyPath(path43))
+      getIn(path44, keepScalar) {
+        if (Collection.isEmptyPath(path44))
           return !keepScalar && identity.isScalar(this.contents) ? this.contents.value : this.contents;
-        return identity.isCollection(this.contents) ? this.contents.getIn(path43, keepScalar) : void 0;
+        return identity.isCollection(this.contents) ? this.contents.getIn(path44, keepScalar) : void 0;
       }
       /**
        * Checks if the document includes a value with the key `key`.
@@ -6572,10 +6572,10 @@ var require_Document = __commonJS({
       /**
        * Checks if the document includes a value at `path`.
        */
-      hasIn(path43) {
-        if (Collection.isEmptyPath(path43))
+      hasIn(path44) {
+        if (Collection.isEmptyPath(path44))
           return this.contents !== void 0;
-        return identity.isCollection(this.contents) ? this.contents.hasIn(path43) : false;
+        return identity.isCollection(this.contents) ? this.contents.hasIn(path44) : false;
       }
       /**
        * Sets a value in this document. For `!!set`, `value` needs to be a
@@ -6592,13 +6592,13 @@ var require_Document = __commonJS({
        * Sets a value in this document. For `!!set`, `value` needs to be a
        * boolean to add/remove the item from the set.
        */
-      setIn(path43, value) {
-        if (Collection.isEmptyPath(path43)) {
+      setIn(path44, value) {
+        if (Collection.isEmptyPath(path44)) {
           this.contents = value;
         } else if (this.contents == null) {
-          this.contents = Collection.collectionFromPath(this.schema, Array.from(path43), value);
+          this.contents = Collection.collectionFromPath(this.schema, Array.from(path44), value);
         } else if (assertCollection(this.contents)) {
-          this.contents.setIn(path43, value);
+          this.contents.setIn(path44, value);
         }
       }
       /**
@@ -8550,9 +8550,9 @@ var require_cst_visit = __commonJS({
     visit.BREAK = BREAK;
     visit.SKIP = SKIP;
     visit.REMOVE = REMOVE;
-    visit.itemAtPath = (cst, path43) => {
+    visit.itemAtPath = (cst, path44) => {
       let item = cst;
-      for (const [field, index] of path43) {
+      for (const [field, index] of path44) {
         const tok = item?.[field];
         if (tok && "items" in tok) {
           item = tok.items[index];
@@ -8561,23 +8561,23 @@ var require_cst_visit = __commonJS({
       }
       return item;
     };
-    visit.parentCollection = (cst, path43) => {
-      const parent = visit.itemAtPath(cst, path43.slice(0, -1));
-      const field = path43[path43.length - 1][0];
+    visit.parentCollection = (cst, path44) => {
+      const parent = visit.itemAtPath(cst, path44.slice(0, -1));
+      const field = path44[path44.length - 1][0];
       const coll = parent?.[field];
       if (coll && "items" in coll)
         return coll;
       throw new Error("Parent collection not found");
     };
-    function _visit(path43, item, visitor) {
-      let ctrl = visitor(item, path43);
+    function _visit(path44, item, visitor) {
+      let ctrl = visitor(item, path44);
       if (typeof ctrl === "symbol")
         return ctrl;
       for (const field of ["key", "value"]) {
         const token = item[field];
         if (token && "items" in token) {
           for (let i = 0; i < token.items.length; ++i) {
-            const ci = _visit(Object.freeze(path43.concat([[field, i]])), token.items[i], visitor);
+            const ci = _visit(Object.freeze(path44.concat([[field, i]])), token.items[i], visitor);
             if (typeof ci === "number")
               i = ci - 1;
             else if (ci === BREAK)
@@ -8588,10 +8588,10 @@ var require_cst_visit = __commonJS({
             }
           }
           if (typeof ctrl === "function" && field === "key")
-            ctrl = ctrl(item, path43);
+            ctrl = ctrl(item, path44);
         }
       }
-      return typeof ctrl === "function" ? ctrl(item, path43) : ctrl;
+      return typeof ctrl === "function" ? ctrl(item, path44) : ctrl;
     }
     exports.visit = visit;
   }
@@ -9876,14 +9876,14 @@ var require_parser = __commonJS({
             case "scalar":
             case "single-quoted-scalar":
             case "double-quoted-scalar": {
-              const fs26 = this.flowScalar(this.type);
+              const fs27 = this.flowScalar(this.type);
               if (atNextItem || it.value) {
-                map.items.push({ start, key: fs26, sep: [] });
+                map.items.push({ start, key: fs27, sep: [] });
                 this.onKeyLine = true;
               } else if (it.sep) {
-                this.stack.push(fs26);
+                this.stack.push(fs27);
               } else {
-                Object.assign(it, { key: fs26, sep: [] });
+                Object.assign(it, { key: fs27, sep: [] });
                 this.onKeyLine = true;
               }
               return;
@@ -10011,13 +10011,13 @@ var require_parser = __commonJS({
             case "scalar":
             case "single-quoted-scalar":
             case "double-quoted-scalar": {
-              const fs26 = this.flowScalar(this.type);
+              const fs27 = this.flowScalar(this.type);
               if (!it || it.value)
-                fc.items.push({ start: [], key: fs26, sep: [] });
+                fc.items.push({ start: [], key: fs27, sep: [] });
               else if (it.sep)
-                this.stack.push(fs26);
+                this.stack.push(fs27);
               else
-                Object.assign(it, { key: fs26, sep: [] });
+                Object.assign(it, { key: fs27, sep: [] });
               return;
             }
             case "flow-map-end":
@@ -10225,7 +10225,7 @@ var require_public_api = __commonJS({
       }
       return doc;
     }
-    function parse15(src, reviver, options) {
+    function parse16(src, reviver, options) {
       let _reviver = void 0;
       if (typeof reviver === "function") {
         _reviver = reviver;
@@ -10266,7 +10266,7 @@ var require_public_api = __commonJS({
         return value.toString(options);
       return new Document.Document(value, _replacer, options).toString(options);
     }
-    exports.parse = parse15;
+    exports.parse = parse16;
     exports.parseAllDocuments = parseAllDocuments;
     exports.parseDocument = parseDocument;
     exports.stringify = stringify7;
@@ -11463,10 +11463,11 @@ var init_metadata = __esm({
 // ../core/src/matrix/manager.ts
 import * as fs5 from "fs";
 import * as path4 from "path";
-var MatrixManager;
+var YAML3, MatrixManager;
 var init_manager = __esm({
   "../core/src/matrix/manager.ts"() {
     "use strict";
+    YAML3 = __toESM(require_dist());
     init_metadata();
     MatrixManager = class {
       /**
@@ -11522,9 +11523,15 @@ var init_manager = __esm({
        * @param repoRoot - Absolute path to the repository root.
        * @param sopsClient - SOPS client used to decrypt each cell.
        */
-      async getMatrixStatus(manifest, repoRoot, sopsClient) {
+      async getMatrixStatus(manifest, repoRoot, _sopsClient) {
         const cells = this.resolveMatrix(manifest, repoRoot);
         const statuses = [];
+        const cellKeys = /* @__PURE__ */ new Map();
+        for (const cell of cells) {
+          if (cell.exists) {
+            cellKeys.set(cell.filePath, this.readKeyNames(cell.filePath));
+          }
+        }
         for (const cell of cells) {
           if (!cell.exists) {
             statuses.push({
@@ -11547,48 +11554,56 @@ var init_manager = __esm({
             pendingCount = pending.length;
           } catch {
           }
-          try {
-            const decrypted = await sopsClient.decrypt(cell.filePath);
-            const keyCount = Object.keys(decrypted.values).length;
-            const lastModified = decrypted.metadata.lastModified;
-            const issues = [];
-            const siblingCells = cells.filter(
-              (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
-            );
-            for (const sibling of siblingCells) {
-              try {
-                const siblingDecrypted = await sopsClient.decrypt(sibling.filePath);
-                const siblingKeys = Object.keys(siblingDecrypted.values);
-                const currentKeys = Object.keys(decrypted.values);
-                const missingKeys = siblingKeys.filter((k) => !currentKeys.includes(k));
-                for (const mk of missingKeys) {
-                  issues.push({
-                    type: "missing_keys",
-                    message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
-                    key: mk
-                  });
-                }
-              } catch {
-              }
+          const keys = cellKeys.get(cell.filePath) ?? [];
+          const keyCount = keys.length;
+          const lastModified = this.readLastModified(cell.filePath);
+          const issues = [];
+          const siblingCells = cells.filter(
+            (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
+          );
+          for (const sibling of siblingCells) {
+            const siblingKeys = cellKeys.get(sibling.filePath) ?? [];
+            const missingKeys = siblingKeys.filter((k) => !keys.includes(k));
+            for (const mk of missingKeys) {
+              issues.push({
+                type: "missing_keys",
+                message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
+                key: mk
+              });
             }
-            statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
-          } catch {
-            statuses.push({
-              cell,
-              keyCount: 0,
-              pendingCount: 0,
-              lastModified: null,
-              issues: [
-                {
-                  type: "sops_error",
-                  message: `Could not decrypt '${cell.filePath}'. Check your key configuration.`
-                }
-              ]
-            });
           }
+          statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
         }
         return statuses;
       }
+      /**
+       * Read top-level key names from a SOPS file without decryption.
+       * SOPS stores key names in plaintext — only values are encrypted.
+       */
+      readKeyNames(filePath) {
+        try {
+          const raw = fs5.readFileSync(filePath, "utf-8");
+          const parsed = YAML3.parse(raw);
+          if (!parsed || typeof parsed !== "object") return [];
+          return Object.keys(parsed).filter((k) => k !== "sops");
+        } catch {
+          return [];
+        }
+      }
+      /**
+       * Read the lastModified timestamp from SOPS metadata without decryption.
+       */
+      readLastModified(filePath) {
+        try {
+          const raw = fs5.readFileSync(filePath, "utf-8");
+          const parsed = YAML3.parse(raw);
+          const sops = parsed?.sops;
+          if (sops?.lastmodified) return new Date(String(sops.lastmodified));
+          return null;
+        } catch {
+          return null;
+        }
+      }
       /**
        * Check whether an environment has the `protected` flag set in the manifest.
        *
@@ -11605,11 +11620,11 @@ var init_manager = __esm({
 
 // ../core/src/schema/validator.ts
 import * as fs6 from "fs";
-var YAML3, SchemaValidator;
+var YAML4, SchemaValidator;
 var init_validator2 = __esm({
   "../core/src/schema/validator.ts"() {
     "use strict";
-    YAML3 = __toESM(require_dist());
+    YAML4 = __toESM(require_dist());
     init_types();
     SchemaValidator = class {
       /**
@@ -11628,7 +11643,7 @@ var init_validator2 = __esm({
         }
         let parsed;
         try {
-          parsed = YAML3.parse(raw);
+          parsed = YAML4.parse(raw);
         } catch {
           throw new SchemaLoadError(`Schema file '${filePath}' contains invalid YAML.`, filePath);
         }
@@ -19702,11 +19717,11 @@ function openWindowsInputPipe(content) {
     });
   });
 }
-var YAML4, SopsClient;
+var YAML5, SopsClient;
 var init_client = __esm({
   "../core/src/sops/client.ts"() {
     "use strict";
-    YAML4 = __toESM(require_dist());
+    YAML5 = __toESM(require_dist());
     init_types();
     init_checker();
     init_keygen();
@@ -19771,7 +19786,7 @@ var init_client = __esm({
         }
         let parsed;
         try {
-          parsed = YAML4.parse(result.stdout) ?? {};
+          parsed = YAML5.parse(result.stdout) ?? {};
         } catch {
           throw new SopsDecryptionError(
             `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -19798,7 +19813,7 @@ var init_client = __esm({
       async encrypt(filePath, values, manifest, environment) {
         await assertSops(this.runner, this.sopsCommand);
         const fmt = formatFromPath(filePath);
-        const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML4.stringify(values);
+        const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML5.stringify(values);
         const args = this.buildEncryptArgs(filePath, manifest, environment);
         const env = this.buildSopsEnv();
         let inputArg;
@@ -19998,7 +20013,7 @@ var init_client = __esm({
         }
         let parsed;
         try {
-          parsed = YAML4.parse(content);
+          parsed = YAML5.parse(content);
         } catch {
           throw new SopsDecryptionError(
             `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -20307,7 +20322,7 @@ var init_runner = __esm({
       /**
        * Lint service identity configurations for drift issues.
        */
-      async lintServiceIdentities(identities, manifest, _repoRoot, existingCells) {
+      async lintServiceIdentities(identities, manifest, repoRoot, existingCells) {
         const issues = [];
         const declaredEnvNames = new Set(manifest.environments.map((e) => e.name));
         const declaredNsNames = new Set(manifest.namespaces.map((ns) => ns.name));
@@ -20466,7 +20481,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML5.parse(content);
+    const parsed = YAML6.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -20547,7 +20562,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML5.parse(content);
+    parsed = YAML6.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -20581,7 +20596,7 @@ function parseYaml(content) {
   }
   return { pairs, format: "yaml", skipped, warnings };
 }
-function parse6(content, format, filePath) {
+function parse7(content, format, filePath) {
   const resolved = format === "auto" ? detectFormat(filePath ?? "", content) : format;
   switch (resolved) {
     case "dotenv":
@@ -20592,11 +20607,11 @@ function parse6(content, format, filePath) {
       return parseYaml(content);
   }
 }
-var YAML5;
+var YAML6;
 var init_parsers = __esm({
   "../core/src/import/parsers.ts"() {
     "use strict";
-    YAML5 = __toESM(require_dist());
+    YAML6 = __toESM(require_dist());
   }
 });
 
@@ -20627,7 +20642,7 @@ var init_import = __esm({
           repoRoot,
           manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
         );
-        const parsed = parse6(content, options.format ?? "auto", sourcePath ?? "");
+        const parsed = parse7(content, options.format ?? "auto", sourcePath ?? "");
         let candidates = Object.entries(parsed.pairs);
         if (options.prefix) {
           const prefix2 = options.prefix;
@@ -20708,11 +20723,11 @@ function toRecipient(entry) {
 function readManifestYaml(repoRoot) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
   const raw = fs11.readFileSync(manifestPath, "utf-8");
-  return YAML6.parse(raw);
+  return YAML7.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  fs11.writeFileSync(manifestPath, YAML6.stringify(doc), "utf-8");
+  fs11.writeFileSync(manifestPath, YAML7.stringify(doc), "utf-8");
 }
 function getRecipientsArray(doc) {
   const sops = doc.sops;
@@ -20760,11 +20775,11 @@ function ensureEnvironmentRecipientsArray(doc, envName) {
   }
   return env.recipients;
 }
-var YAML6, RecipientManager;
+var YAML7, RecipientManager;
 var init_recipients2 = __esm({
   "../core/src/recipients/index.ts"() {
     "use strict";
-    YAML6 = __toESM(require_dist());
+    YAML7 = __toESM(require_dist());
     init_validator();
     init_parser();
     RecipientManager = class {
@@ -20964,7 +20979,7 @@ function loadRequests(repoRoot) {
   try {
     if (!fs12.existsSync(filePath)) return [];
     const content = fs12.readFileSync(filePath, "utf-8");
-    const parsed = YAML7.parse(content);
+    const parsed = YAML8.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
       key: r.key,
@@ -20996,7 +21011,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML7.stringify(data), "utf-8");
+  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML8.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label2, environment) {
   const requests = loadRequests(repoRoot);
@@ -21030,11 +21045,11 @@ function findInList(requests, identifier) {
   const byKey = requests.find((r) => r.key === identifier);
   return byKey ?? null;
 }
-var YAML7, REQUESTS_FILENAME, HEADER_COMMENT2;
+var YAML8, REQUESTS_FILENAME, HEADER_COMMENT2;
 var init_requests = __esm({
   "../core/src/recipients/requests.ts"() {
     "use strict";
-    YAML7 = __toESM(require_dist());
+    YAML8 = __toESM(require_dist());
     REQUESTS_FILENAME = ".clef-requests.yaml";
     HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
   }
@@ -21043,11 +21058,11 @@ var init_requests = __esm({
 // ../core/src/drift/detector.ts
 import * as fs13 from "fs";
 import * as path15 from "path";
-var YAML8, DriftDetector;
+var YAML9, DriftDetector;
 var init_detector = __esm({
   "../core/src/drift/detector.ts"() {
     "use strict";
-    YAML8 = __toESM(require_dist());
+    YAML9 = __toESM(require_dist());
     init_parser();
     init_manager();
     DriftDetector = class {
@@ -21136,7 +21151,7 @@ var init_detector = __esm({
         try {
           if (!fs13.existsSync(filePath)) return null;
           const raw = fs13.readFileSync(filePath, "utf-8");
-          const parsed = YAML8.parse(raw);
+          const parsed = YAML9.parse(raw);
           if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
           return Object.keys(parsed).filter((k) => k !== "sops");
         } catch {
@@ -21289,11 +21304,11 @@ var init_sanitizer = __esm({
 // ../core/src/report/generator.ts
 import * as fs14 from "fs";
 import * as path16 from "path";
-var YAML9, ReportGenerator;
+var YAML10, ReportGenerator;
 var init_generator = __esm({
   "../core/src/report/generator.ts"() {
     "use strict";
-    YAML9 = __toESM(require_dist());
+    YAML10 = __toESM(require_dist());
     init_types();
     init_parser();
     init_runner();
@@ -21472,7 +21487,7 @@ var init_generator = __esm({
         try {
           if (!fs14.existsSync(filePath)) return 0;
           const raw = fs14.readFileSync(filePath, "utf-8");
-          const parsed = YAML9.parse(raw);
+          const parsed = YAML10.parse(raw);
           if (parsed === null || parsed === void 0 || typeof parsed !== "object") return 0;
           return Object.keys(parsed).filter((k) => k !== "sops").length;
         } catch {
@@ -21847,11 +21862,11 @@ var init_driver = __esm({
 import * as fs15 from "fs";
 import * as os from "os";
 import * as path17 from "path";
-var YAML10, PartialRotationError, ServiceIdentityManager;
+var YAML11, PartialRotationError, ServiceIdentityManager;
 var init_manager2 = __esm({
   "../core/src/service-identity/manager.ts"() {
     "use strict";
-    YAML10 = __toESM(require_dist());
+    YAML11 = __toESM(require_dist());
     init_types();
     init_keygen();
     init_parser();
@@ -21907,7 +21922,7 @@ var init_manager2 = __esm({
         await this.registerRecipients(definition, manifest, repoRoot);
         const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
         const raw = fs15.readFileSync(manifestPath, "utf-8");
-        const doc = YAML10.parse(raw);
+        const doc = YAML11.parse(raw);
         if (!Array.isArray(doc.service_identities)) {
           doc.service_identities = [];
         }
@@ -21919,7 +21934,7 @@ var init_manager2 = __esm({
         });
         const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
         try {
-          fs15.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+          fs15.writeFileSync(tmpCreate, YAML11.stringify(doc), "utf-8");
           fs15.renameSync(tmpCreate, manifestPath);
         } finally {
           try {
@@ -21941,6 +21956,95 @@ var init_manager2 = __esm({
       get(manifest, name) {
         return manifest.service_identities?.find((si) => si.name === name);
       }
+      /**
+       * Delete a service identity: remove its recipients from scoped SOPS files
+       * and remove it from the manifest.
+       */
+      async delete(name, manifest, repoRoot) {
+        const identity = this.get(manifest, name);
+        if (!identity) {
+          throw new Error(`Service identity '${name}' not found.`);
+        }
+        const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+        for (const cell of cells) {
+          if (!identity.namespaces.includes(cell.namespace)) continue;
+          const envConfig = identity.environments[cell.environment];
+          if (!envConfig?.recipient) continue;
+          if (isKmsEnvelope(envConfig)) continue;
+          try {
+            await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+          } catch {
+          }
+        }
+        const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+        const raw = fs15.readFileSync(manifestPath, "utf-8");
+        const doc = YAML11.parse(raw);
+        const identities = doc.service_identities;
+        if (Array.isArray(identities)) {
+          doc.service_identities = identities.filter(
+            (si) => si.name !== name
+          );
+        }
+        const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+        try {
+          fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
+          fs15.renameSync(tmp, manifestPath);
+        } finally {
+          try {
+            fs15.unlinkSync(tmp);
+          } catch {
+          }
+        }
+      }
+      /**
+       * Update environment backends on an existing service identity.
+       * Switches age → KMS (removes old recipient) or updates KMS config.
+       * Returns new private keys for any environments switched from KMS → age.
+       */
+      async updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot) {
+        const identity = this.get(manifest, name);
+        if (!identity) {
+          throw new Error(`Service identity '${name}' not found.`);
+        }
+        const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+        const raw = fs15.readFileSync(manifestPath, "utf-8");
+        const doc = YAML11.parse(raw);
+        const identities = doc.service_identities;
+        const siDoc = identities.find((si) => si.name === name);
+        const envs = siDoc.environments;
+        const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+        const privateKeys = {};
+        for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
+          const oldConfig = identity.environments[envName];
+          if (!oldConfig) {
+            throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
+          }
+          if (oldConfig.recipient) {
+            const scopedCells = cells.filter(
+              (c) => identity.namespaces.includes(c.namespace) && c.environment === envName
+            );
+            for (const cell of scopedCells) {
+              try {
+                await this.encryption.removeRecipient(cell.filePath, oldConfig.recipient);
+              } catch {
+              }
+            }
+          }
+          envs[envName] = { kms: kmsConfig };
+          identity.environments[envName] = { kms: kmsConfig };
+        }
+        const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+        try {
+          fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
+          fs15.renameSync(tmp, manifestPath);
+        } finally {
+          try {
+            fs15.unlinkSync(tmp);
+          } catch {
+          }
+        }
+        return { privateKeys };
+      }
       /**
        * Register a service identity's public keys as SOPS recipients on scoped matrix files.
        */
@@ -21973,7 +22077,7 @@ var init_manager2 = __esm({
         }
         const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
         const raw = fs15.readFileSync(manifestPath, "utf-8");
-        const doc = YAML10.parse(raw);
+        const doc = YAML11.parse(raw);
         const identities = doc.service_identities;
         const siDoc = identities.find((si) => si.name === name);
         const envs = siDoc.environments;
@@ -22028,7 +22132,7 @@ var init_manager2 = __esm({
         }
         const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
         try {
-          fs15.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+          fs15.writeFileSync(tmpRotate, YAML11.stringify(doc), "utf-8");
           fs15.renameSync(tmpRotate, manifestPath);
         } finally {
           try {
@@ -22201,7 +22305,8 @@ var init_packer = __esm({
           try {
             const e = new Encrypter2();
             e.addRecipient(ephemeralPublicKey);
-            ciphertext = await e.encrypt(plaintext);
+            const encrypted = await e.encrypt(plaintext);
+            ciphertext = Buffer.from(encrypted).toString("base64");
           } catch {
             throw new Error("Failed to age-encrypt artifact with ephemeral key.");
           }
@@ -22230,7 +22335,8 @@ var init_packer = __esm({
             const { Encrypter: Encrypter2 } = await Promise.resolve().then(() => (init_dist(), dist_exports));
             const e = new Encrypter2();
             e.addRecipient(resolved.recipient);
-            ciphertext = await e.encrypt(plaintext);
+            const encrypted = await e.encrypt(plaintext);
+            ciphertext = Buffer.from(encrypted).toString("base64");
           } catch {
             throw new Error("Failed to age-encrypt artifact. Check recipient key.");
           }
@@ -22332,7 +22438,7 @@ __export(src_exports, {
   markResolved: () => markResolved,
   matchPatterns: () => matchPatterns,
   metadataPath: () => metadataPath,
-  parse: () => parse6,
+  parse: () => parse7,
   parseDotenv: () => parseDotenv,
   parseIgnoreContent: () => parseIgnoreContent,
   parseJson: () => parseJson,
@@ -22470,7 +22576,7 @@ var require_ms = __commonJS({
       options = options || {};
       var type = typeof val;
       if (type === "string" && val.length > 0) {
-        return parse15(val);
+        return parse16(val);
       } else if (type === "number" && isFinite(val)) {
         return options.long ? fmtLong(val) : fmtShort(val);
       }
@@ -22478,7 +22584,7 @@ var require_ms = __commonJS({
         "val is not a non-empty string or a valid number. val=" + JSON.stringify(val)
       );
     };
-    function parse15(str2) {
+    function parse16(str2) {
       str2 = String(str2);
       if (str2.length > 100) {
         return;
@@ -23917,7 +24023,7 @@ var require_bytes = __commonJS({
     "use strict";
     module.exports = bytes;
     module.exports.format = format;
-    module.exports.parse = parse15;
+    module.exports.parse = parse16;
     var formatThousandsRegExp = /\B(?=(\d{3})+(?!\d))/g;
     var formatDecimalsRegExp = /(?:\.0*|(\.[^0]+)0+)$/;
     var map = {
@@ -23931,7 +24037,7 @@ var require_bytes = __commonJS({
     var parseRegExp = /^((-|\+)?(\d+(?:\.\d+)?)) *(kb|mb|gb|tb|pb)$/i;
     function bytes(value, options) {
       if (typeof value === "string") {
-        return parse15(value);
+        return parse16(value);
       }
       if (typeof value === "number") {
         return format(value, options);
@@ -23975,7 +24081,7 @@ var require_bytes = __commonJS({
       }
       return str2 + unitSeparator + unit;
     }
-    function parse15(val) {
+    function parse16(val) {
       if (typeof val === "number" && !isNaN(val)) {
         return val;
       }
@@ -28180,7 +28286,7 @@ var require_content_type = __commonJS({
     var QUOTE_REGEXP = /([\\"])/g;
     var TYPE_REGEXP = /^[!#$%&'*+.^_`|~0-9A-Za-z-]+\/[!#$%&'*+.^_`|~0-9A-Za-z-]+$/;
     exports.format = format;
-    exports.parse = parse15;
+    exports.parse = parse16;
     function format(obj) {
       if (!obj || typeof obj !== "object") {
         throw new TypeError("argument obj is required");
@@ -28204,7 +28310,7 @@ var require_content_type = __commonJS({
       }
       return string;
     }
-    function parse15(string) {
+    function parse16(string) {
       if (!string) {
         throw new TypeError("argument string is required");
       }
@@ -37729,11 +37835,11 @@ var require_mime_types = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path43) {
-      if (!path43 || typeof path43 !== "string") {
+    function lookup(path44) {
+      if (!path44 || typeof path44 !== "string") {
         return false;
       }
-      var extension2 = extname2("x." + path43).toLowerCase().slice(1);
+      var extension2 = extname2("x." + path44).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -37786,7 +37892,7 @@ var require_media_typer = __commonJS({
     var TYPE_NAME_REGEXP = /^[A-Za-z0-9][A-Za-z0-9!#$&^_-]{0,126}$/;
     var TYPE_REGEXP = /^ *([A-Za-z0-9][A-Za-z0-9!#$&^_-]{0,126})\/([A-Za-z0-9][A-Za-z0-9!#$&^_.+-]{0,126}) *$/;
     exports.format = format;
-    exports.parse = parse15;
+    exports.parse = parse16;
     exports.test = test;
     function format(obj) {
       if (!obj || typeof obj !== "object") {
@@ -37819,7 +37925,7 @@ var require_media_typer = __commonJS({
       }
       return TYPE_REGEXP.test(string.toLowerCase());
     }
-    function parse15(string) {
+    function parse16(string) {
       if (!string) {
         throw new TypeError("argument string is required");
       }
@@ -38005,7 +38111,7 @@ var require_read = __commonJS({
     var hasBody = require_type_is().hasBody;
     var { getCharset } = require_utils();
     module.exports = read2;
-    function read2(req, res, next, parse15, debug, options) {
+    function read2(req, res, next, parse16, debug, options) {
       if (onFinished.isFinished(req)) {
         debug("body already parsed");
         next();
@@ -38093,7 +38199,7 @@ var require_read = __commonJS({
         try {
           debug("parse body");
           str2 = typeof body !== "string" && encoding !== null ? iconv.decode(body, encoding) : body;
-          req.body = parse15(str2, encoding);
+          req.body = parse16(str2, encoding);
         } catch (err) {
           next(createError(400, err, {
             body: str2,
@@ -38166,7 +38272,7 @@ var require_json = __commonJS({
       const normalizedOptions = normalizeOptions(options, "application/json");
       var reviver = options?.reviver;
       var strict = options?.strict !== false;
-      function parse15(body) {
+      function parse16(body) {
         if (body.length === 0) {
           return {};
         }
@@ -38193,7 +38299,7 @@ var require_json = __commonJS({
         isValidCharset: (charset) => charset.slice(0, 4) === "utf-"
       };
       return function jsonParser(req, res, next) {
-        read2(req, res, next, parse15, debug, readOptions);
+        read2(req, res, next, parse16, debug, readOptions);
       };
     }
     function createStrictSyntaxError(str2, char) {
@@ -40771,11 +40877,11 @@ var require_lib2 = __commonJS({
   "../../node_modules/qs/lib/index.js"(exports, module) {
     "use strict";
     var stringify7 = require_stringify2();
-    var parse15 = require_parse();
+    var parse16 = require_parse();
     var formats = require_formats();
     module.exports = {
       formats,
-      parse: parse15,
+      parse: parse16,
       stringify: stringify7
     };
   }
@@ -40797,7 +40903,7 @@ var require_urlencoded = __commonJS({
         throw new TypeError("option defaultCharset must be either utf-8 or iso-8859-1");
       }
       var queryparse = createQueryParser(options);
-      function parse15(body, encoding) {
+      function parse16(body, encoding) {
         return body.length ? queryparse(body, encoding) : {};
       }
       const readOptions = {
@@ -40806,7 +40912,7 @@ var require_urlencoded = __commonJS({
         isValidCharset: (charset) => charset === "utf-8" || charset === "iso-8859-1"
       };
       return function urlencodedParser(req, res, next) {
-        read2(req, res, next, parse15, debug, readOptions);
+        read2(req, res, next, parse16, debug, readOptions);
       };
     }
     function createQueryParser(options) {
@@ -40990,7 +41096,7 @@ var require_parseurl = __commonJS({
   "../../node_modules/parseurl/index.js"(exports, module) {
     "use strict";
     var url = __require("url");
-    var parse15 = url.parse;
+    var parse16 = url.parse;
     var Url = url.Url;
     module.exports = parseurl;
     module.exports.original = originalurl;
@@ -41022,7 +41128,7 @@ var require_parseurl = __commonJS({
     }
     function fastparse(str2) {
       if (typeof str2 !== "string" || str2.charCodeAt(0) !== 47) {
-        return parse15(str2);
+        return parse16(str2);
       }
       var pathname = str2;
       var query = null;
@@ -41050,7 +41156,7 @@ var require_parseurl = __commonJS({
           /* #  */
           case 160:
           case 65279:
-            return parse15(str2);
+            return parse16(str2);
         }
       }
       var url2 = Url !== void 0 ? new Url() : {};
@@ -41201,13 +41307,13 @@ var require_view = __commonJS({
   "../../node_modules/express/lib/view.js"(exports, module) {
     "use strict";
     var debug = require_src()("express:view");
-    var path43 = __require("node:path");
-    var fs26 = __require("node:fs");
-    var dirname7 = path43.dirname;
-    var basename5 = path43.basename;
-    var extname2 = path43.extname;
-    var join39 = path43.join;
-    var resolve6 = path43.resolve;
+    var path44 = __require("node:path");
+    var fs27 = __require("node:fs");
+    var dirname7 = path44.dirname;
+    var basename5 = path44.basename;
+    var extname2 = path44.extname;
+    var join40 = path44.join;
+    var resolve6 = path44.resolve;
     module.exports = View;
     function View(name, options) {
       var opts2 = options || {};
@@ -41236,17 +41342,17 @@ var require_view = __commonJS({
       this.path = this.lookup(fileName);
     }
     View.prototype.lookup = function lookup(name) {
-      var path44;
+      var path45;
       var roots = [].concat(this.root);
       debug('lookup "%s"', name);
-      for (var i = 0; i < roots.length && !path44; i++) {
+      for (var i = 0; i < roots.length && !path45; i++) {
         var root = roots[i];
         var loc = resolve6(root, name);
         var dir = dirname7(loc);
         var file = basename5(loc);
-        path44 = this.resolve(dir, file);
+        path45 = this.resolve(dir, file);
       }
-      return path44;
+      return path45;
     };
     View.prototype.render = function render(options, callback) {
       var sync = true;
@@ -41268,21 +41374,21 @@ var require_view = __commonJS({
     };
     View.prototype.resolve = function resolve7(dir, file) {
       var ext = this.ext;
-      var path44 = join39(dir, file);
-      var stat = tryStat(path44);
+      var path45 = join40(dir, file);
+      var stat = tryStat(path45);
       if (stat && stat.isFile()) {
-        return path44;
+        return path45;
       }
-      path44 = join39(dir, basename5(file, ext), "index" + ext);
-      stat = tryStat(path44);
+      path45 = join40(dir, basename5(file, ext), "index" + ext);
+      stat = tryStat(path45);
       if (stat && stat.isFile()) {
-        return path44;
+        return path45;
       }
     };
-    function tryStat(path44) {
-      debug('stat "%s"', path44);
+    function tryStat(path45) {
+      debug('stat "%s"', path45);
       try {
-        return fs26.statSync(path44);
+        return fs27.statSync(path45);
       } catch (e) {
         return void 0;
       }
@@ -50788,11 +50894,11 @@ var require_mime_types2 = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path43) {
-      if (!path43 || typeof path43 !== "string") {
+    function lookup(path44) {
+      if (!path44 || typeof path44 !== "string") {
         return false;
       }
-      var extension2 = extname2("x." + path43).toLowerCase().slice(1);
+      var extension2 = extname2("x." + path44).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -50846,7 +50952,7 @@ var require_forwarded = __commonJS({
       if (!req) {
         throw new TypeError("argument req is required");
       }
-      var proxyAddrs = parse15(req.headers["x-forwarded-for"] || "");
+      var proxyAddrs = parse16(req.headers["x-forwarded-for"] || "");
       var socketAddr = getSocketAddr(req);
       var addrs = [socketAddr].concat(proxyAddrs);
       return addrs;
@@ -50854,7 +50960,7 @@ var require_forwarded = __commonJS({
     function getSocketAddr(req) {
       return req.socket ? req.socket.remoteAddress : req.connection.remoteAddress;
     }
-    function parse15(header) {
+    function parse16(header) {
       var end = header.length;
       var list = [];
       var start = header.length;
@@ -51883,7 +51989,7 @@ var require_dist2 = __commonJS({
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.PathError = exports.TokenData = void 0;
-    exports.parse = parse15;
+    exports.parse = parse16;
     exports.compile = compile;
     exports.match = match;
     exports.pathToRegexp = pathToRegexp;
@@ -51929,7 +52035,7 @@ var require_dist2 = __commonJS({
       }
     };
     exports.PathError = PathError;
-    function parse15(str2, options = {}) {
+    function parse16(str2, options = {}) {
       const { encodePath = NOOP_VALUE } = options;
       const chars = [...str2];
       const tokens = [];
@@ -51985,15 +52091,15 @@ var require_dist2 = __commonJS({
           if (token.type === endType)
             break;
           if (token.type === "char" || token.type === "escape") {
-            let path43 = token.value;
+            let path44 = token.value;
             let cur = tokens[pos];
             while (cur.type === "char" || cur.type === "escape") {
-              path43 += cur.value;
+              path44 += cur.value;
               cur = tokens[++pos];
             }
             output.push({
               type: "text",
-              value: encodePath(path43)
+              value: encodePath(path44)
             });
             continue;
           }
@@ -52017,16 +52123,16 @@ var require_dist2 = __commonJS({
       }
       return new TokenData(consumeUntil("end"), str2);
     }
-    function compile(path43, options = {}) {
+    function compile(path44, options = {}) {
       const { encode: encode2 = encodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
-      const data = typeof path43 === "object" ? path43 : parse15(path43, options);
+      const data = typeof path44 === "object" ? path44 : parse16(path44, options);
       const fn = tokensToFunction(data.tokens, delimiter, encode2);
-      return function path44(params = {}) {
-        const [path45, ...missing] = fn(params);
+      return function path45(params = {}) {
+        const [path46, ...missing] = fn(params);
         if (missing.length) {
           throw new TypeError(`Missing parameters: ${missing.join(", ")}`);
         }
-        return path45;
+        return path46;
       };
     }
     function tokensToFunction(tokens, delimiter, encode2) {
@@ -52082,9 +52188,9 @@ var require_dist2 = __commonJS({
         return [encodeValue(value)];
       };
     }
-    function match(path43, options = {}) {
+    function match(path44, options = {}) {
       const { decode: decode2 = decodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
-      const { regexp, keys } = pathToRegexp(path43, options);
+      const { regexp, keys } = pathToRegexp(path44, options);
       const decoders = keys.map((key) => {
         if (decode2 === false)
           return NOOP_VALUE;
@@ -52096,7 +52202,7 @@ var require_dist2 = __commonJS({
         const m = regexp.exec(input);
         if (!m)
           return false;
-        const path44 = m[0];
+        const path45 = m[0];
         const params = /* @__PURE__ */ Object.create(null);
         for (let i = 1; i < m.length; i++) {
           if (m[i] === void 0)
@@ -52105,16 +52211,16 @@ var require_dist2 = __commonJS({
           const decoder = decoders[i - 1];
           params[key.name] = decoder(m[i]);
         }
-        return { path: path44, params };
+        return { path: path45, params };
       };
     }
-    function pathToRegexp(path43, options = {}) {
+    function pathToRegexp(path44, options = {}) {
       const { delimiter = DEFAULT_DELIMITER, end = true, sensitive = false, trailing = true } = options;
       const keys = [];
       const flags = sensitive ? "" : "i";
       const sources = [];
-      for (const input of pathsToArray(path43, [])) {
-        const data = typeof input === "object" ? input : parse15(input, options);
+      for (const input of pathsToArray(path44, [])) {
+        const data = typeof input === "object" ? input : parse16(input, options);
         for (const tokens of flatten2(data.tokens, 0, [])) {
           sources.push(toRegExpSource(tokens, delimiter, keys, data.originalPath));
         }
@@ -52243,18 +52349,18 @@ var require_layer = __commonJS({
     var TRAILING_SLASH_REGEXP = /\/+$/;
     var MATCHING_GROUP_REGEXP = /\((?:\?<(.*?)>)?(?!\?)/g;
     module.exports = Layer;
-    function Layer(path43, options, fn) {
+    function Layer(path44, options, fn) {
       if (!(this instanceof Layer)) {
-        return new Layer(path43, options, fn);
+        return new Layer(path44, options, fn);
       }
-      debug("new %o", path43);
+      debug("new %o", path44);
       const opts2 = options || {};
       this.handle = fn;
       this.keys = [];
       this.name = fn.name || "<anonymous>";
       this.params = void 0;
       this.path = void 0;
-      this.slash = path43 === "/" && opts2.end === false;
+      this.slash = path44 === "/" && opts2.end === false;
       function matcher(_path) {
         if (_path instanceof RegExp) {
           const keys = [];
@@ -52293,7 +52399,7 @@ var require_layer = __commonJS({
           decode: decodeParam
         });
       }
-      this.matchers = Array.isArray(path43) ? path43.map(matcher) : [matcher(path43)];
+      this.matchers = Array.isArray(path44) ? path44.map(matcher) : [matcher(path44)];
     }
     Layer.prototype.handleError = function handleError(error, req, res, next) {
       const fn = this.handle;
@@ -52333,9 +52439,9 @@ var require_layer = __commonJS({
         next(err);
       }
     };
-    Layer.prototype.match = function match(path43) {
+    Layer.prototype.match = function match(path44) {
       let match2;
-      if (path43 != null) {
+      if (path44 != null) {
         if (this.slash) {
           this.params = {};
           this.path = "";
@@ -52343,7 +52449,7 @@ var require_layer = __commonJS({
         }
         let i = 0;
         while (!match2 && i < this.matchers.length) {
-          match2 = this.matchers[i](path43);
+          match2 = this.matchers[i](path44);
           i++;
         }
       }
@@ -52371,13 +52477,13 @@ var require_layer = __commonJS({
         throw err;
       }
     }
-    function loosen(path43) {
-      if (path43 instanceof RegExp || path43 === "/") {
-        return path43;
+    function loosen(path44) {
+      if (path44 instanceof RegExp || path44 === "/") {
+        return path44;
       }
-      return Array.isArray(path43) ? path43.map(function(p) {
+      return Array.isArray(path44) ? path44.map(function(p) {
         return loosen(p);
-      }) : String(path43).replace(TRAILING_SLASH_REGEXP, "");
+      }) : String(path44).replace(TRAILING_SLASH_REGEXP, "");
     }
   }
 });
@@ -52393,9 +52499,9 @@ var require_route = __commonJS({
     var flatten2 = Array.prototype.flat;
     var methods = METHODS.map((method) => method.toLowerCase());
     module.exports = Route;
-    function Route(path43) {
-      debug("new %o", path43);
-      this.path = path43;
+    function Route(path44) {
+      debug("new %o", path44);
+      this.path = path44;
       this.stack = [];
       this.methods = /* @__PURE__ */ Object.create(null);
     }
@@ -52603,8 +52709,8 @@ var require_router = __commonJS({
         if (++sync > 100) {
           return setImmediate(next, err);
         }
-        const path43 = getPathname(req);
-        if (path43 == null) {
+        const path44 = getPathname(req);
+        if (path44 == null) {
           return done(layerError);
         }
         let layer;
@@ -52612,7 +52718,7 @@ var require_router = __commonJS({
         let route;
         while (match !== true && idx < stack.length) {
           layer = stack[idx++];
-          match = matchLayer(layer, path43);
+          match = matchLayer(layer, path44);
           route = layer.route;
           if (typeof match !== "boolean") {
             layerError = layerError || match;
@@ -52650,18 +52756,18 @@ var require_router = __commonJS({
           } else if (route) {
             layer.handleRequest(req, res, next);
           } else {
-            trimPrefix(layer, layerError, layerPath, path43);
+            trimPrefix(layer, layerError, layerPath, path44);
           }
           sync = 0;
         });
       }
-      function trimPrefix(layer, layerError, layerPath, path43) {
+      function trimPrefix(layer, layerError, layerPath, path44) {
         if (layerPath.length !== 0) {
-          if (layerPath !== path43.substring(0, layerPath.length)) {
+          if (layerPath !== path44.substring(0, layerPath.length)) {
             next(layerError);
             return;
           }
-          const c = path43[layerPath.length];
+          const c = path44[layerPath.length];
           if (c && c !== "/") {
             next(layerError);
             return;
@@ -52685,7 +52791,7 @@ var require_router = __commonJS({
     };
     Router.prototype.use = function use(handler) {
       let offset = 0;
-      let path43 = "/";
+      let path44 = "/";
       if (typeof handler !== "function") {
         let arg = handler;
         while (Array.isArray(arg) && arg.length !== 0) {
@@ -52693,7 +52799,7 @@ var require_router = __commonJS({
         }
         if (typeof arg !== "function") {
           offset = 1;
-          path43 = handler;
+          path44 = handler;
         }
       }
       const callbacks = flatten2.call(slice.call(arguments, offset), Infinity);
@@ -52705,8 +52811,8 @@ var require_router = __commonJS({
         if (typeof fn !== "function") {
           throw new TypeError("argument handler must be a function");
         }
-        debug("use %o %s", path43, fn.name || "<anonymous>");
-        const layer = new Layer(path43, {
+        debug("use %o %s", path44, fn.name || "<anonymous>");
+        const layer = new Layer(path44, {
           sensitive: this.caseSensitive,
           strict: false,
           end: false
@@ -52716,9 +52822,9 @@ var require_router = __commonJS({
       }
       return this;
     };
-    Router.prototype.route = function route(path43) {
-      const route2 = new Route(path43);
-      const layer = new Layer(path43, {
+    Router.prototype.route = function route(path44) {
+      const route2 = new Route(path44);
+      const layer = new Layer(path44, {
         sensitive: this.caseSensitive,
         strict: this.strict,
         end: true
@@ -52731,8 +52837,8 @@ var require_router = __commonJS({
       return route2;
     };
     methods.concat("all").forEach(function(method) {
-      Router.prototype[method] = function(path43) {
-        const route = this.route(path43);
+      Router.prototype[method] = function(path44) {
+        const route = this.route(path44);
         route[method].apply(route, slice.call(arguments, 1));
         return this;
       };
@@ -52761,9 +52867,9 @@ var require_router = __commonJS({
       const fqdnIndex = url.substring(0, pathLength).indexOf("://");
       return fqdnIndex !== -1 ? url.substring(0, url.indexOf("/", 3 + fqdnIndex)) : void 0;
     }
-    function matchLayer(layer, path43) {
+    function matchLayer(layer, path44) {
       try {
-        return layer.match(path43);
+        return layer.match(path44);
       } catch (err) {
         return err;
       }
@@ -52991,7 +53097,7 @@ var require_application = __commonJS({
     };
     app.use = function use(fn) {
       var offset = 0;
-      var path43 = "/";
+      var path44 = "/";
       if (typeof fn !== "function") {
         var arg = fn;
         while (Array.isArray(arg) && arg.length !== 0) {
@@ -52999,7 +53105,7 @@ var require_application = __commonJS({
         }
         if (typeof arg !== "function") {
           offset = 1;
-          path43 = fn;
+          path44 = fn;
         }
       }
       var fns = flatten2.call(slice.call(arguments, offset), Infinity);
@@ -53009,12 +53115,12 @@ var require_application = __commonJS({
       var router = this.router;
       fns.forEach(function(fn2) {
         if (!fn2 || !fn2.handle || !fn2.set) {
-          return router.use(path43, fn2);
+          return router.use(path44, fn2);
         }
-        debug(".use app under %s", path43);
-        fn2.mountpath = path43;
+        debug(".use app under %s", path44);
+        fn2.mountpath = path44;
         fn2.parent = this;
-        router.use(path43, function mounted_app(req, res, next) {
+        router.use(path44, function mounted_app(req, res, next) {
           var orig = req.app;
           fn2.handle(req, res, function(err) {
             Object.setPrototypeOf(req, orig.request);
@@ -53026,8 +53132,8 @@ var require_application = __commonJS({
       }, this);
       return this;
     };
-    app.route = function route(path43) {
-      return this.router.route(path43);
+    app.route = function route(path44) {
+      return this.router.route(path44);
     };
     app.engine = function engine(ext, fn) {
       if (typeof fn !== "function") {
@@ -53070,7 +53176,7 @@ var require_application = __commonJS({
       }
       return this;
     };
-    app.path = function path43() {
+    app.path = function path44() {
       return this.parent ? this.parent.path() + this.mountpath : "";
     };
     app.enabled = function enabled(setting) {
@@ -53086,17 +53192,17 @@ var require_application = __commonJS({
       return this.set(setting, false);
     };
     methods.forEach(function(method) {
-      app[method] = function(path43) {
+      app[method] = function(path44) {
         if (method === "get" && arguments.length === 1) {
-          return this.set(path43);
+          return this.set(path44);
         }
-        var route = this.route(path43);
+        var route = this.route(path44);
         route[method].apply(route, slice.call(arguments, 1));
         return this;
       };
     });
-    app.all = function all(path43) {
-      var route = this.route(path43);
+    app.all = function all(path44) {
+      var route = this.route(path44);
       var args = slice.call(arguments, 1);
       for (var i = 0; i < methods.length; i++) {
         route[methods[i]].apply(route, args);
@@ -63130,11 +63236,11 @@ var require_mime_types3 = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path43) {
-      if (!path43 || typeof path43 !== "string") {
+    function lookup(path44) {
+      if (!path44 || typeof path44 !== "string") {
         return false;
       }
-      var extension2 = extname2("x." + path43).toLowerCase().slice(1);
+      var extension2 = extname2("x." + path44).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -63423,7 +63529,7 @@ var require_request = __commonJS({
     var http = __require("node:http");
     var fresh = require_fresh();
     var parseRange = require_range_parser();
-    var parse15 = require_parseurl();
+    var parse16 = require_parseurl();
     var proxyaddr = require_proxy_addr();
     var req = Object.create(http.IncomingMessage.prototype);
     module.exports = req;
@@ -63468,7 +63574,7 @@ var require_request = __commonJS({
       if (!queryparse) {
         return /* @__PURE__ */ Object.create(null);
       }
-      var querystring = parse15(this).query;
+      var querystring = parse16(this).query;
       return queryparse(querystring);
     });
     req.is = function is(types) {
@@ -63511,8 +63617,8 @@ var require_request = __commonJS({
       var subdomains2 = !isIP(hostname) ? hostname.split(".").reverse() : [hostname];
       return subdomains2.slice(offset);
     });
-    defineGetter(req, "path", function path43() {
-      return parse15(this).pathname;
+    defineGetter(req, "path", function path44() {
+      return parse16(this).pathname;
     });
     defineGetter(req, "host", function host() {
       var trust = this.app.get("trust proxy fn");
@@ -63566,7 +63672,7 @@ var require_content_disposition = __commonJS({
   "../../node_modules/content-disposition/index.js"(exports, module) {
     "use strict";
     module.exports = contentDisposition;
-    module.exports.parse = parse15;
+    module.exports.parse = parse16;
     var basename5 = __require("path").basename;
     var ENCODE_URL_ATTR_CHAR_REGEXP = /[\x00-\x20"'()*,/:;<=>?@[\\\]{}\x7f]/g;
     var HEX_ESCAPE_REGEXP = /%[0-9A-Fa-f]{2}/;
@@ -63657,7 +63763,7 @@ var require_content_disposition = __commonJS({
     function getlatin1(val) {
       return String(val).replace(NON_LATIN1_REGEXP, "?");
     }
-    function parse15(string) {
+    function parse16(string) {
       if (!string || typeof string !== "string") {
         throw new TypeError("argument string is required");
       }
@@ -63746,7 +63852,7 @@ var require_cookie_signature = __commonJS({
 var require_cookie = __commonJS({
   "../../node_modules/cookie/index.js"(exports) {
     "use strict";
-    exports.parse = parse15;
+    exports.parse = parse16;
     exports.serialize = serialize;
     var __toString = Object.prototype.toString;
     var __hasOwnProperty = Object.prototype.hasOwnProperty;
@@ -63754,7 +63860,7 @@ var require_cookie = __commonJS({
     var cookieValueRegExp = /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;
     var domainValueRegExp = /^([.]?[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)([.][a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i;
     var pathValueRegExp = /^[\u0020-\u003A\u003D-\u007E]*$/;
-    function parse15(str2, opt) {
+    function parse16(str2, opt) {
       if (typeof str2 !== "string") {
         throw new TypeError("argument str must be a string");
       }
@@ -73364,11 +73470,11 @@ var require_mime_types4 = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path43) {
-      if (!path43 || typeof path43 !== "string") {
+    function lookup(path44) {
+      if (!path44 || typeof path44 !== "string") {
         return false;
       }
-      var extension2 = extname2("x." + path43).toLowerCase().slice(1);
+      var extension2 = extname2("x." + path44).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -73423,32 +73529,32 @@ var require_send = __commonJS({
     var escapeHtml = require_escape_html();
     var etag = require_etag();
     var fresh = require_fresh();
-    var fs26 = __require("fs");
+    var fs27 = __require("fs");
     var mime = require_mime_types4();
     var ms = require_ms();
     var onFinished = require_on_finished();
     var parseRange = require_range_parser();
-    var path43 = __require("path");
+    var path44 = __require("path");
     var statuses = require_statuses();
     var Stream = __require("stream");
     var util = __require("util");
-    var extname2 = path43.extname;
-    var join39 = path43.join;
-    var normalize = path43.normalize;
-    var resolve6 = path43.resolve;
-    var sep = path43.sep;
+    var extname2 = path44.extname;
+    var join40 = path44.join;
+    var normalize = path44.normalize;
+    var resolve6 = path44.resolve;
+    var sep = path44.sep;
     var BYTES_RANGE_REGEXP = /^ *bytes=/;
     var MAX_MAXAGE = 60 * 60 * 24 * 365 * 1e3;
     var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
     module.exports = send;
-    function send(req, path44, options) {
-      return new SendStream(req, path44, options);
+    function send(req, path45, options) {
+      return new SendStream(req, path45, options);
     }
-    function SendStream(req, path44, options) {
+    function SendStream(req, path45, options) {
       Stream.call(this);
       var opts2 = options || {};
       this.options = opts2;
-      this.path = path44;
+      this.path = path45;
       this.req = req;
       this._acceptRanges = opts2.acceptRanges !== void 0 ? Boolean(opts2.acceptRanges) : true;
       this._cacheControl = opts2.cacheControl !== void 0 ? Boolean(opts2.cacheControl) : true;
@@ -73562,10 +73668,10 @@ var require_send = __commonJS({
       var lastModified = this.res.getHeader("Last-Modified");
       return parseHttpDate(lastModified) <= parseHttpDate(ifRange);
     };
-    SendStream.prototype.redirect = function redirect(path44) {
+    SendStream.prototype.redirect = function redirect(path45) {
       var res = this.res;
       if (hasListeners(this, "directory")) {
-        this.emit("directory", res, path44);
+        this.emit("directory", res, path45);
         return;
       }
       if (this.hasTrailingSlash()) {
@@ -73585,38 +73691,38 @@ var require_send = __commonJS({
     SendStream.prototype.pipe = function pipe(res) {
       var root = this._root;
       this.res = res;
-      var path44 = decode2(this.path);
-      if (path44 === -1) {
+      var path45 = decode2(this.path);
+      if (path45 === -1) {
         this.error(400);
         return res;
       }
-      if (~path44.indexOf("\0")) {
+      if (~path45.indexOf("\0")) {
         this.error(400);
         return res;
       }
       var parts;
       if (root !== null) {
-        if (path44) {
-          path44 = normalize("." + sep + path44);
+        if (path45) {
+          path45 = normalize("." + sep + path45);
         }
-        if (UP_PATH_REGEXP.test(path44)) {
-          debug('malicious path "%s"', path44);
+        if (UP_PATH_REGEXP.test(path45)) {
+          debug('malicious path "%s"', path45);
           this.error(403);
           return res;
         }
-        parts = path44.split(sep);
-        path44 = normalize(join39(root, path44));
+        parts = path45.split(sep);
+        path45 = normalize(join40(root, path45));
       } else {
-        if (UP_PATH_REGEXP.test(path44)) {
-          debug('malicious path "%s"', path44);
+        if (UP_PATH_REGEXP.test(path45)) {
+          debug('malicious path "%s"', path45);
           this.error(403);
           return res;
         }
-        parts = normalize(path44).split(sep);
-        path44 = resolve6(path44);
+        parts = normalize(path45).split(sep);
+        path45 = resolve6(path45);
       }
       if (containsDotFile(parts)) {
-        debug('%s dotfile "%s"', this._dotfiles, path44);
+        debug('%s dotfile "%s"', this._dotfiles, path45);
         switch (this._dotfiles) {
           case "allow":
             break;
@@ -73630,13 +73736,13 @@ var require_send = __commonJS({
         }
       }
       if (this._index.length && this.hasTrailingSlash()) {
-        this.sendIndex(path44);
+        this.sendIndex(path45);
         return res;
       }
-      this.sendFile(path44);
+      this.sendFile(path45);
       return res;
     };
-    SendStream.prototype.send = function send2(path44, stat) {
+    SendStream.prototype.send = function send2(path45, stat) {
       var len = stat.size;
       var options = this.options;
       var opts2 = {};
@@ -73648,9 +73754,9 @@ var require_send = __commonJS({
         this.headersAlreadySent();
         return;
       }
-      debug('pipe "%s"', path44);
-      this.setHeader(path44, stat);
-      this.type(path44);
+      debug('pipe "%s"', path45);
+      this.setHeader(path45, stat);
+      this.type(path45);
       if (this.isConditionalGET()) {
         if (this.isPreconditionFailure()) {
           this.error(412);
@@ -73699,30 +73805,30 @@ var require_send = __commonJS({
         res.end();
         return;
       }
-      this.stream(path44, opts2);
+      this.stream(path45, opts2);
     };
-    SendStream.prototype.sendFile = function sendFile(path44) {
+    SendStream.prototype.sendFile = function sendFile(path45) {
       var i = 0;
       var self = this;
-      debug('stat "%s"', path44);
-      fs26.stat(path44, function onstat(err, stat) {
-        var pathEndsWithSep = path44[path44.length - 1] === sep;
-        if (err && err.code === "ENOENT" && !extname2(path44) && !pathEndsWithSep) {
+      debug('stat "%s"', path45);
+      fs27.stat(path45, function onstat(err, stat) {
+        var pathEndsWithSep = path45[path45.length - 1] === sep;
+        if (err && err.code === "ENOENT" && !extname2(path45) && !pathEndsWithSep) {
           return next(err);
         }
         if (err) return self.onStatError(err);
-        if (stat.isDirectory()) return self.redirect(path44);
+        if (stat.isDirectory()) return self.redirect(path45);
         if (pathEndsWithSep) return self.error(404);
-        self.emit("file", path44, stat);
-        self.send(path44, stat);
+        self.emit("file", path45, stat);
+        self.send(path45, stat);
       });
       function next(err) {
         if (self._extensions.length <= i) {
           return err ? self.onStatError(err) : self.error(404);
         }
-        var p = path44 + "." + self._extensions[i++];
+        var p = path45 + "." + self._extensions[i++];
         debug('stat "%s"', p);
-        fs26.stat(p, function(err2, stat) {
+        fs27.stat(p, function(err2, stat) {
           if (err2) return next(err2);
           if (stat.isDirectory()) return next();
           self.emit("file", p, stat);
@@ -73730,7 +73836,7 @@ var require_send = __commonJS({
         });
       }
     };
-    SendStream.prototype.sendIndex = function sendIndex(path44) {
+    SendStream.prototype.sendIndex = function sendIndex(path45) {
       var i = -1;
       var self = this;
       function next(err) {
@@ -73738,9 +73844,9 @@ var require_send = __commonJS({
           if (err) return self.onStatError(err);
           return self.error(404);
         }
-        var p = join39(path44, self._index[i]);
+        var p = join40(path45, self._index[i]);
         debug('stat "%s"', p);
-        fs26.stat(p, function(err2, stat) {
+        fs27.stat(p, function(err2, stat) {
           if (err2) return next(err2);
           if (stat.isDirectory()) return next();
           self.emit("file", p, stat);
@@ -73749,10 +73855,10 @@ var require_send = __commonJS({
       }
       next();
     };
-    SendStream.prototype.stream = function stream2(path44, options) {
+    SendStream.prototype.stream = function stream2(path45, options) {
       var self = this;
       var res = this.res;
-      var stream3 = fs26.createReadStream(path44, options);
+      var stream3 = fs27.createReadStream(path45, options);
       this.emit("stream", stream3);
       stream3.pipe(res);
       function cleanup() {
@@ -73767,17 +73873,17 @@ var require_send = __commonJS({
         self.emit("end");
       });
     };
-    SendStream.prototype.type = function type(path44) {
+    SendStream.prototype.type = function type(path45) {
       var res = this.res;
       if (res.getHeader("Content-Type")) return;
-      var ext = extname2(path44);
+      var ext = extname2(path45);
       var type2 = mime.contentType(ext) || "application/octet-stream";
       debug("content-type %s", type2);
       res.setHeader("Content-Type", type2);
     };
-    SendStream.prototype.setHeader = function setHeader(path44, stat) {
+    SendStream.prototype.setHeader = function setHeader(path45, stat) {
       var res = this.res;
-      this.emit("headers", res, path44, stat);
+      this.emit("headers", res, path45, stat);
       if (this._acceptRanges && !res.getHeader("Accept-Ranges")) {
         debug("accept ranges");
         res.setHeader("Accept-Ranges", "bytes");
@@ -73835,9 +73941,9 @@ var require_send = __commonJS({
       }
       return err instanceof Error ? createError(status, err, { expose: false }) : createError(status, err);
     }
-    function decode2(path44) {
+    function decode2(path45) {
       try {
-        return decodeURIComponent(path44);
+        return decodeURIComponent(path45);
       } catch (err) {
         return -1;
       }
@@ -73910,7 +74016,7 @@ var require_vary = __commonJS({
       if (!field) {
         throw new TypeError("field argument is required");
       }
-      var fields = !Array.isArray(field) ? parse15(String(field)) : field;
+      var fields = !Array.isArray(field) ? parse16(String(field)) : field;
       for (var j = 0; j < fields.length; j++) {
         if (!FIELD_NAME_REGEXP.test(fields[j])) {
           throw new TypeError("field argument contains an invalid header name");
@@ -73920,7 +74026,7 @@ var require_vary = __commonJS({
         return header;
       }
       var val = header;
-      var vals = parse15(header.toLowerCase());
+      var vals = parse16(header.toLowerCase());
       if (fields.indexOf("*") !== -1 || vals.indexOf("*") !== -1) {
         return "*";
       }
@@ -73933,7 +74039,7 @@ var require_vary = __commonJS({
       }
       return val;
     }
-    function parse15(header) {
+    function parse16(header) {
       var end = 0;
       var list = [];
       var start = 0;
@@ -73981,7 +74087,7 @@ var require_response = __commonJS({
     var http = __require("node:http");
     var onFinished = require_on_finished();
     var mime = require_mime_types2();
-    var path43 = __require("node:path");
+    var path44 = __require("node:path");
     var pathIsAbsolute = __require("node:path").isAbsolute;
     var statuses = require_statuses();
     var sign = require_cookie_signature().sign;
@@ -73990,8 +74096,8 @@ var require_response = __commonJS({
     var setCharset = require_utils3().setCharset;
     var cookie = require_cookie();
     var send = require_send();
-    var extname2 = path43.extname;
-    var resolve6 = path43.resolve;
+    var extname2 = path44.extname;
+    var resolve6 = path44.resolve;
     var vary = require_vary();
     var { Buffer: Buffer2 } = __require("node:buffer");
     var res = Object.create(http.ServerResponse.prototype);
@@ -74137,26 +74243,26 @@ var require_response = __commonJS({
       this.type("txt");
       return this.send(body);
     };
-    res.sendFile = function sendFile(path44, options, callback) {
+    res.sendFile = function sendFile(path45, options, callback) {
       var done = callback;
       var req = this.req;
       var res2 = this;
       var next = req.next;
       var opts2 = options || {};
-      if (!path44) {
+      if (!path45) {
         throw new TypeError("path argument is required to res.sendFile");
       }
-      if (typeof path44 !== "string") {
+      if (typeof path45 !== "string") {
         throw new TypeError("path must be a string to res.sendFile");
       }
       if (typeof options === "function") {
         done = options;
         opts2 = {};
       }
-      if (!opts2.root && !pathIsAbsolute(path44)) {
+      if (!opts2.root && !pathIsAbsolute(path45)) {
         throw new TypeError("path must be absolute or specify root to res.sendFile");
       }
-      var pathname = encodeURI(path44);
+      var pathname = encodeURI(path45);
       opts2.etag = this.app.enabled("etag");
       var file = send(req, pathname, opts2);
       sendfile(res2, file, opts2, function(err) {
@@ -74167,7 +74273,7 @@ var require_response = __commonJS({
         }
       });
     };
-    res.download = function download(path44, filename, options, callback) {
+    res.download = function download(path45, filename, options, callback) {
       var done = callback;
       var name = filename;
       var opts2 = options || null;
@@ -74184,7 +74290,7 @@ var require_response = __commonJS({
         opts2 = filename;
       }
       var headers = {
-        "Content-Disposition": contentDisposition(name || path44)
+        "Content-Disposition": contentDisposition(name || path45)
       };
       if (opts2 && opts2.headers) {
         var keys = Object.keys(opts2.headers);
@@ -74197,7 +74303,7 @@ var require_response = __commonJS({
       }
       opts2 = Object.create(opts2);
       opts2.headers = headers;
-      var fullPath = !opts2.root ? resolve6(path44) : path44;
+      var fullPath = !opts2.root ? resolve6(path45) : path45;
       return this.sendFile(fullPath, opts2, done);
     };
     res.contentType = res.type = function contentType(type) {
@@ -74480,11 +74586,11 @@ var require_serve_static = __commonJS({
         }
         var forwardError = !fallthrough;
         var originalUrl = parseUrl.original(req);
-        var path43 = parseUrl(req).pathname;
-        if (path43 === "/" && originalUrl.pathname.substr(-1) !== "/") {
-          path43 = "";
+        var path44 = parseUrl(req).pathname;
+        if (path44 === "/" && originalUrl.pathname.substr(-1) !== "/") {
+          path44 = "";
         }
-        var stream2 = send(req, path43, opts2);
+        var stream2 = send(req, path44, opts2);
         stream2.on("directory", onDirectory);
         if (setHeaders) {
           stream2.on("headers", setHeaders);
@@ -75437,7 +75543,7 @@ var require_api = __commonJS({
     })();
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.createApiRouter = createApiRouter;
-    var path43 = __importStar(__require("path"));
+    var path44 = __importStar(__require("path"));
     var os3 = __importStar(__require("os"));
     var child_process_1 = __require("child_process");
     var express_1 = require_express2();
@@ -75455,11 +75561,11 @@ var require_api = __commonJS({
             return deps2.runner.run(cmd, args, {
               ...opts2,
               cwd: opts2?.cwd ?? deps2.repoRoot,
-              env: { SOPS_CONFIG: path43.join(deps2.repoRoot, ".sops.yaml"), ...opts2?.env }
+              env: { SOPS_CONFIG: path44.join(deps2.repoRoot, ".sops.yaml"), ...opts2?.env }
             });
           }
-          const fifoDir = (0, child_process_1.execFileSync)("mktemp", ["-d", path43.join(os3.tmpdir(), "clef-fifo-XXXXXX")]).toString().trim();
-          const fifoPath = path43.join(fifoDir, "input");
+          const fifoDir = (0, child_process_1.execFileSync)("mktemp", ["-d", path44.join(os3.tmpdir(), "clef-fifo-XXXXXX")]).toString().trim();
+          const fifoPath = path44.join(fifoDir, "input");
           (0, child_process_1.execFileSync)("mkfifo", [fifoPath]);
           const writer = (0, child_process_1.spawn)("dd", [`of=${fifoPath}`, "status=none"], {
             stdio: ["pipe", "ignore", "ignore"]
@@ -75472,7 +75578,7 @@ var require_api = __commonJS({
           return deps2.runner.run(cmd, patchedArgs, {
             ...restOpts,
             cwd: restOpts?.cwd ?? deps2.repoRoot,
-            env: { SOPS_CONFIG: path43.join(deps2.repoRoot, ".sops.yaml"), ...restOpts?.env }
+            env: { SOPS_CONFIG: path44.join(deps2.repoRoot, ".sops.yaml"), ...restOpts?.env }
           }).finally(() => {
             try {
               writer.kill();
@@ -75618,7 +75724,7 @@ var require_api = __commonJS({
             const nsDef = manifest.namespaces.find((n) => n.name === ns);
             if (nsDef?.schema) {
               try {
-                const schema = schemaValidator.loadSchema(path43.join(deps2.repoRoot, nsDef.schema));
+                const schema = schemaValidator.loadSchema(path44.join(deps2.repoRoot, nsDef.schema));
                 const result = schemaValidator.validate({ [key]: String(value) }, schema);
                 const violations = [...result.errors, ...result.warnings];
                 if (violations.length > 0) {
@@ -75882,8 +75988,8 @@ var require_api = __commonJS({
             res.status(400).json({ error: "Request body must include a 'file' string.", code: "BAD_REQUEST" });
             return;
           }
-          const resolved = path43.resolve(deps2.repoRoot, file);
-          if (!resolved.startsWith(deps2.repoRoot + path43.sep) && resolved !== deps2.repoRoot) {
+          const resolved = path44.resolve(deps2.repoRoot, file);
+          if (!resolved.startsWith(deps2.repoRoot + path44.sep) && resolved !== deps2.repoRoot) {
             res.status(400).json({
               error: "File path must be within the repository.",
               code: "BAD_REQUEST"
@@ -76033,6 +76139,42 @@ var require_api = __commonJS({
           res.status(500).json({ error: message, code: "RECIPIENTS_REMOVE_ERROR" });
         }
       });
+      router.get("/service-identities", (_req, res) => {
+        try {
+          setNoCacheHeaders(res);
+          const manifest = loadManifest();
+          const identities = manifest.service_identities ?? [];
+          const result = identities.map((si) => {
+            const environments = {};
+            for (const [envName, envConfig] of Object.entries(si.environments)) {
+              const env = manifest.environments.find((e) => e.name === envName);
+              if (envConfig.kms) {
+                environments[envName] = {
+                  type: "kms",
+                  kms: envConfig.kms,
+                  protected: env?.protected ?? false
+                };
+              } else {
+                environments[envName] = {
+                  type: "age",
+                  publicKey: envConfig.recipient,
+                  protected: env?.protected ?? false
+                };
+              }
+            }
+            return {
+              name: si.name,
+              description: si.description,
+              namespaces: si.namespaces,
+              environments
+            };
+          });
+          res.json({ identities: result });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : "Failed to load service identities";
+          res.status(500).json({ error: message, code: "SERVICE_IDENTITY_ERROR" });
+        }
+      });
       function dispose() {
         lastScanResult = null;
         lastScanAt = null;
@@ -76089,7 +76231,7 @@ var require_server = __commonJS({
     };
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.startServer = startServer;
-    var path43 = __importStar(__require("path"));
+    var path44 = __importStar(__require("path"));
     var path_1 = __require("path");
     var crypto_1 = __require("crypto");
     var express_1 = __importDefault(require_express2());
@@ -76185,10 +76327,10 @@ var require_server = __commonJS({
         mountSeaStaticRoutes(app, sea, staticLimiter);
       }
       if (!isSeaBinary) {
-        const resolvedClientDir = clientDir ?? path43.resolve(__dirname, "../client");
+        const resolvedClientDir = clientDir ?? path44.resolve(__dirname, "../client");
         app.use(staticLimiter, express_1.default.static(resolvedClientDir));
         app.get("/{*splat}", staticLimiter, (_req, res) => {
-          res.sendFile(path43.join(resolvedClientDir, "index.html"));
+          res.sendFile(path44.join(resolvedClientDir, "index.html"));
         });
       }
       const url = `http://127.0.0.1:${port}`;
@@ -76330,32 +76472,32 @@ var require_disk_cache = __commonJS({
     })();
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.DiskCache = void 0;
-    var fs26 = __importStar(__require("fs"));
-    var path43 = __importStar(__require("path"));
+    var fs27 = __importStar(__require("fs"));
+    var path44 = __importStar(__require("path"));
     var DiskCache = class {
       artifactPath;
       metaPath;
       constructor(cachePath, identity, environment) {
-        const dir = path43.join(cachePath, identity);
-        this.artifactPath = path43.join(dir, `${environment}.age.json`);
-        this.metaPath = path43.join(dir, `${environment}.meta`);
+        const dir = path44.join(cachePath, identity);
+        this.artifactPath = path44.join(dir, `${environment}.age.json`);
+        this.metaPath = path44.join(dir, `${environment}.meta`);
       }
       /** Write an artifact and optional metadata to disk (atomic via tmp+rename). */
       write(raw, sha) {
-        const dir = path43.dirname(this.artifactPath);
-        fs26.mkdirSync(dir, { recursive: true });
+        const dir = path44.dirname(this.artifactPath);
+        fs27.mkdirSync(dir, { recursive: true });
         const tmpArtifact = `${this.artifactPath}.tmp.${process.pid}`;
-        fs26.writeFileSync(tmpArtifact, raw, "utf-8");
-        fs26.renameSync(tmpArtifact, this.artifactPath);
+        fs27.writeFileSync(tmpArtifact, raw, "utf-8");
+        fs27.renameSync(tmpArtifact, this.artifactPath);
         const meta = { sha, fetchedAt: (/* @__PURE__ */ new Date()).toISOString() };
         const tmpMeta = `${this.metaPath}.tmp.${process.pid}`;
-        fs26.writeFileSync(tmpMeta, JSON.stringify(meta), "utf-8");
-        fs26.renameSync(tmpMeta, this.metaPath);
+        fs27.writeFileSync(tmpMeta, JSON.stringify(meta), "utf-8");
+        fs27.renameSync(tmpMeta, this.metaPath);
       }
       /** Read the cached artifact. Returns null if no cache file exists. */
       read() {
         try {
-          return fs26.readFileSync(this.artifactPath, "utf-8");
+          return fs27.readFileSync(this.artifactPath, "utf-8");
         } catch {
           return null;
         }
@@ -76363,7 +76505,7 @@ var require_disk_cache = __commonJS({
       /** Get the SHA from the cached metadata, if available. */
       getCachedSha() {
         try {
-          const raw = fs26.readFileSync(this.metaPath, "utf-8");
+          const raw = fs27.readFileSync(this.metaPath, "utf-8");
           const meta = JSON.parse(raw);
           return meta.sha;
         } catch {
@@ -76373,7 +76515,7 @@ var require_disk_cache = __commonJS({
       /** Get the fetchedAt timestamp from metadata, if available. */
       getFetchedAt() {
         try {
-          const raw = fs26.readFileSync(this.metaPath, "utf-8");
+          const raw = fs27.readFileSync(this.metaPath, "utf-8");
           const meta = JSON.parse(raw);
           return meta.fetchedAt;
         } catch {
@@ -76383,11 +76525,11 @@ var require_disk_cache = __commonJS({
       /** Remove cached artifact and metadata files. */
       purge() {
         try {
-          fs26.unlinkSync(this.artifactPath);
+          fs27.unlinkSync(this.artifactPath);
         } catch {
         }
         try {
-          fs26.unlinkSync(this.metaPath);
+          fs27.unlinkSync(this.metaPath);
         } catch {
         }
       }
@@ -76439,7 +76581,7 @@ var require_decrypt = __commonJS({
     })();
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.AgeDecryptor = void 0;
-    var fs26 = __importStar(__require("fs"));
+    var fs27 = __importStar(__require("fs"));
     var AgeDecryptor = class {
       /**
        * Decrypt an age-encrypted PEM-armored ciphertext string.
@@ -76452,7 +76594,7 @@ var require_decrypt = __commonJS({
         const { Decrypter: Decrypter2 } = await Promise.resolve(`${"age-encryption"}`).then((s) => __importStar(__require(s)));
         const d = new Decrypter2();
         d.addIdentity(privateKey);
-        return d.decrypt(ciphertext, "text");
+        return d.decrypt(Buffer.from(ciphertext, "base64"), "text");
       }
       /**
        * Resolve the age private key from either an inline value or a file path.
@@ -76465,7 +76607,7 @@ var require_decrypt = __commonJS({
         if (ageKey)
           return ageKey.trim();
         if (ageKeyFile) {
-          const content = fs26.readFileSync(ageKeyFile, "utf-8").trim();
+          const content = fs27.readFileSync(ageKeyFile, "utf-8").trim();
           const lines = content.split("\n").filter((l) => l.startsWith("AGE-SECRET-KEY-"));
           if (lines.length === 0) {
             throw new Error(`No age secret key found in file: ${ageKeyFile}`);
@@ -77275,8 +77417,8 @@ var require_github = __commonJS({
         this.ref = config.ref;
         this.apiUrl = config.apiUrl ?? "https://api.github.com";
       }
-      async fetchFile(path43) {
-        const url = new URL(`/repos/${this.repo}/contents/${path43}`, this.apiUrl);
+      async fetchFile(path44) {
+        const url = new URL(`/repos/${this.repo}/contents/${path44}`, this.apiUrl);
         if (this.ref)
           url.searchParams.set("ref", this.ref);
         const res = await fetch(url.toString(), {
@@ -77286,7 +77428,7 @@ var require_github = __commonJS({
           }
         });
         if (!res.ok) {
-          throw new Error(`GitHub API error: ${res.status} fetching ${path43} from ${this.repo}`);
+          throw new Error(`GitHub API error: ${res.status} fetching ${path44} from ${this.repo}`);
         }
         const data = await res.json();
         const content = Buffer.from(data.content, "base64").toString("utf-8");
@@ -77314,9 +77456,9 @@ var require_gitlab = __commonJS({
         this.ref = config.ref;
         this.apiUrl = config.apiUrl ?? "https://gitlab.com";
       }
-      async fetchFile(path43) {
+      async fetchFile(path44) {
         const encodedRepo = encodeURIComponent(this.repo);
-        const encodedPath = encodeURIComponent(path43);
+        const encodedPath = encodeURIComponent(path44);
         const url = new URL(`/api/v4/projects/${encodedRepo}/repository/files/${encodedPath}`, this.apiUrl);
         if (this.ref)
           url.searchParams.set("ref", this.ref);
@@ -77326,7 +77468,7 @@ var require_gitlab = __commonJS({
           }
         });
         if (!res.ok) {
-          throw new Error(`GitLab API error: ${res.status} fetching ${path43} from ${this.repo}`);
+          throw new Error(`GitLab API error: ${res.status} fetching ${path44} from ${this.repo}`);
         }
         const data = await res.json();
         const content = Buffer.from(data.content, "base64").toString("utf-8");
@@ -77354,8 +77496,8 @@ var require_bitbucket = __commonJS({
         this.ref = config.ref ?? "main";
         this.apiUrl = config.apiUrl ?? "https://api.bitbucket.org";
       }
-      async fetchFile(path43) {
-        const baseUrl = `${this.apiUrl}/2.0/repositories/${this.repo}/src/${this.ref}/${path43}`;
+      async fetchFile(path44) {
+        const baseUrl = `${this.apiUrl}/2.0/repositories/${this.repo}/src/${this.ref}/${path44}`;
         const metaRes = await fetch(baseUrl, {
           headers: {
             Authorization: `Bearer ${this.token}`,
@@ -77363,7 +77505,7 @@ var require_bitbucket = __commonJS({
           }
         });
         if (!metaRes.ok) {
-          throw new Error(`Bitbucket API error: ${metaRes.status} fetching ${path43} from ${this.repo}`);
+          throw new Error(`Bitbucket API error: ${metaRes.status} fetching ${path44} from ${this.repo}`);
         }
         const meta = await metaRes.json();
         const rawRes = await fetch(baseUrl, {
@@ -77372,7 +77514,7 @@ var require_bitbucket = __commonJS({
           }
         });
         if (!rawRes.ok) {
-          throw new Error(`Bitbucket API error: ${rawRes.status} fetching raw content of ${path43} from ${this.repo}`);
+          throw new Error(`Bitbucket API error: ${rawRes.status} fetching raw content of ${path44} from ${this.repo}`);
         }
         const content = await rawRes.text();
         return { content, sha: meta.commit.hash };
@@ -77490,14 +77632,14 @@ var require_file = __commonJS({
     })();
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.FileArtifactSource = void 0;
-    var fs26 = __importStar(__require("fs"));
+    var fs27 = __importStar(__require("fs"));
     var FileArtifactSource = class {
       path;
       constructor(filePath) {
         this.path = filePath;
       }
       async fetch() {
-        const raw = fs26.readFileSync(this.path, "utf-8");
+        const raw = fs27.readFileSync(this.path, "utf-8");
         return { raw };
       }
       describe() {
@@ -77764,7 +77906,7 @@ var NodeSubprocessRunner = class {
 };
 
 // src/commands/init.ts
-var YAML11 = __toESM(require_dist());
+var YAML12 = __toESM(require_dist());
 init_src();
 import * as fs17 from "fs";
 import * as path19 from "path";
@@ -77911,6 +78053,7 @@ ${label2}
     return new Promise((resolve6) => {
       rl.question(color(import_picocolors.default.yellow, `${prompt} [y/N] `), (answer) => {
         rl.close();
+        process.stdin.pause();
         resolve6(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
       });
     });
@@ -77950,6 +78093,7 @@ ${label2}
             process.stdin.setRawMode(false);
           }
           process.stdin.removeListener("data", onData);
+          process.stdin.pause();
           process.stderr.write("\n");
           resolve6(value);
         } else if (char === "") {
@@ -78082,25 +78226,57 @@ async function getDarwin(runner2, account) {
     if (result.exitCode === 0) {
       const key = result.stdout.trim();
       if (key.startsWith("AGE-SECRET-KEY-")) return key;
+      if (key) {
+        formatter.warn(
+          "OS keychain entry exists but contains invalid key data\n  (expected AGE-SECRET-KEY-... format). The entry may be corrupted.\n  Delete the 'clef' entry in Keychain Access and re-run clef init."
+        );
+      }
     }
     return null;
   } catch {
     return null;
   }
 }
+async function readDarwinRaw(runner2, account) {
+  try {
+    const result = await runner2.run("security", [
+      "find-generic-password",
+      "-a",
+      account,
+      "-s",
+      SERVICE,
+      "-w"
+    ]);
+    return result.exitCode === 0 ? result.stdout.trim() : "";
+  } catch {
+    return "";
+  }
+}
 async function setDarwin(runner2, privateKey, account) {
   await runner2.run("security", ["delete-generic-password", "-a", account, "-s", SERVICE]).catch(() => {
   });
-  const result = await runner2.run("security", [
-    "add-generic-password",
-    "-a",
-    account,
-    "-s",
-    SERVICE,
-    "-w",
-    privateKey
-  ]);
-  return result.exitCode === 0;
+  try {
+    const result = await runner2.run("security", [
+      "add-generic-password",
+      "-a",
+      account,
+      "-s",
+      SERVICE,
+      "-w",
+      privateKey
+    ]);
+    if (result.exitCode !== 0) return false;
+    const stored = await readDarwinRaw(runner2, account);
+    if (stored === privateKey) return true;
+    formatter.warn(
+      "Keychain write succeeded but read-back verification failed \u2014\n  the stored value may be truncated or corrupted.\n  Falling back to file-based key storage."
+    );
+    await runner2.run("security", ["delete-generic-password", "-a", account, "-s", SERVICE]).catch(() => {
+    });
+    return false;
+  } catch {
+    return false;
+  }
 }
 async function getLinux(runner2, account) {
   try {
@@ -78114,6 +78290,11 @@ async function getLinux(runner2, account) {
     if (result.exitCode === 0) {
       const key = result.stdout.trim();
       if (key.startsWith("AGE-SECRET-KEY-")) return key;
+      if (key) {
+        formatter.warn(
+          "OS keychain entry exists but contains invalid key data\n  (expected AGE-SECRET-KEY-... format). The entry may be corrupted."
+        );
+      }
     }
     return null;
   } catch {
@@ -78157,6 +78338,11 @@ ${CRED_HELPER_CS}
     if (result.exitCode === 0) {
       const key = result.stdout.trim();
       if (key.startsWith("AGE-SECRET-KEY-")) return key;
+      if (key) {
+        formatter.warn(
+          "Windows Credential Manager entry exists but contains invalid key data\n  (expected AGE-SECRET-KEY-... format). The entry may be corrupted."
+        );
+      }
     }
     return null;
   } catch {
@@ -78423,6 +78609,9 @@ async function handleSecondDevOnboarding(repoRoot, clefConfigPath, deps2, option
     formatter.success("Stored age key in OS keychain");
     config = { age_key_storage: "keychain", age_keychain_label: label2 };
   } else {
+    formatter.warn(
+      "OS keychain is not available on this system.\n  The private key will be written to the filesystem instead.\n  See https://docs.clef.sh/guide/key-storage for security implications."
+    );
     let keyPath;
     if (options.nonInteractive || !process.stdin.isTTY) {
       keyPath = process.env.CLEF_AGE_KEY_FILE || defaultAgeKeyPath(label2);
@@ -78449,7 +78638,7 @@ async function handleSecondDevOnboarding(repoRoot, clefConfigPath, deps2, option
   if (!fs17.existsSync(clefDir)) {
     fs17.mkdirSync(clefDir, { recursive: true });
   }
-  fs17.writeFileSync(clefConfigPath, YAML11.stringify(config), "utf-8");
+  fs17.writeFileSync(clefConfigPath, YAML12.stringify(config), "utf-8");
   formatter.success("Created .clef/config.yaml");
   const gitignorePath = path19.join(clefDir, ".gitignore");
   if (!fs17.existsSync(gitignorePath)) {
@@ -78506,15 +78695,14 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
   };
   const initParser = new ManifestParser();
   initParser.validate(manifest);
-  fs17.writeFileSync(manifestPath, YAML11.stringify(manifest), "utf-8");
-  formatter.success("Created clef.yaml");
   let ageKeyFile;
   let ageKey;
+  let publicKey;
   if (backend === "age") {
     const label2 = generateKeyLabel();
     const identity = await generateAgeIdentity();
     const privateKey = identity.privateKey;
-    const publicKey = identity.publicKey;
+    publicKey = identity.publicKey;
     const storedInKeychain = await setKeychainKey(deps2.runner, privateKey, label2);
     if (storedInKeychain) {
       formatter.success("Stored age key in OS keychain");
@@ -78558,7 +78746,7 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
       fs17.mkdirSync(clefDir, { recursive: true });
     }
     const config = ageKeyFile ? { age_key_file: ageKeyFile, age_key_storage: "file", age_keychain_label: label2 } : { age_key_storage: "keychain", age_keychain_label: label2 };
-    fs17.writeFileSync(clefConfigPath, YAML11.stringify(config), "utf-8");
+    fs17.writeFileSync(clefConfigPath, YAML12.stringify(config), "utf-8");
     formatter.success("Created .clef/config.yaml");
     const gitignorePath = path19.join(clefDir, ".gitignore");
     if (!fs17.existsSync(gitignorePath)) {
@@ -78566,14 +78754,18 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
       formatter.success("Created .clef/.gitignore");
     }
     formatter.success(`Key label: ${label2}`);
+  }
+  const manifestDoc = YAML12.parse(YAML12.stringify(manifest));
+  if (backend === "age" && publicKey) {
+    const sopsDoc = manifestDoc.sops;
+    sopsDoc.age = { recipients: [publicKey] };
+  }
+  fs17.writeFileSync(manifestPath, YAML12.stringify(manifestDoc), "utf-8");
+  formatter.success("Created clef.yaml");
+  {
     const sopsYamlPath = path19.join(repoRoot, ".sops.yaml");
     const sopsConfig = buildSopsYaml(manifest, repoRoot, publicKey);
-    fs17.writeFileSync(sopsYamlPath, YAML11.stringify(sopsConfig), "utf-8");
-    formatter.success("Created .sops.yaml");
-  } else {
-    const sopsYamlPath = path19.join(repoRoot, ".sops.yaml");
-    const sopsConfig = buildSopsYaml(manifest, repoRoot, void 0);
-    fs17.writeFileSync(sopsYamlPath, YAML11.stringify(sopsConfig), "utf-8");
+    fs17.writeFileSync(sopsYamlPath, YAML12.stringify(sopsConfig), "utf-8");
     formatter.success("Created .sops.yaml");
   }
   const sopsClient = new SopsClient(deps2.runner, ageKeyFile, ageKey);
@@ -78663,7 +78855,7 @@ function scaffoldSopsConfig(repoRoot) {
     agePublicKey = resolveAgePublicKeyFromEnvOrFile(repoRoot);
   }
   const sopsConfig = buildSopsYaml(manifest, repoRoot, agePublicKey);
-  fs17.writeFileSync(sopsYamlPath, YAML11.stringify(sopsConfig), "utf-8");
+  fs17.writeFileSync(sopsYamlPath, YAML12.stringify(sopsConfig), "utf-8");
 }
 function buildSopsYaml(manifest, _repoRoot, agePublicKey) {
   const creationRules = [];
@@ -78729,7 +78921,7 @@ function resolveAgePublicKeyFromEnvOrFile(repoRoot) {
   const clefConfigPath = path19.join(repoRoot, CLEF_DIR, CLEF_CONFIG_FILENAME);
   if (fs17.existsSync(clefConfigPath)) {
     try {
-      const config = YAML11.parse(fs17.readFileSync(clefConfigPath, "utf-8"));
+      const config = YAML12.parse(fs17.readFileSync(clefConfigPath, "utf-8"));
       if (config?.age_key_file) {
         const pubKey = extractAgePublicKey(config.age_key_file);
         if (pubKey) return pubKey;
@@ -78798,6 +78990,7 @@ function promptWithDefault(message, defaultValue) {
   return new Promise((resolve6) => {
     rl.question(prompt, (answer) => {
       rl.close();
+      process.stdin.pause();
       resolve6(answer.trim() || defaultValue);
     });
   });
@@ -78808,7 +79001,7 @@ init_src();
 import * as path21 from "path";
 
 // src/age-credential.ts
-var YAML12 = __toESM(require_dist());
+var YAML13 = __toESM(require_dist());
 init_src();
 import * as fs18 from "fs";
 import * as path20 from "path";
@@ -78820,6 +79013,11 @@ async function resolveAgeCredential(repoRoot, runner2) {
   if (label2) {
     const keychainKey = await getKeychainKey(runner2, label2);
     if (keychainKey) return { source: "keychain", privateKey: keychainKey };
+    if (config?.age_key_storage !== "file") {
+      formatter.warn(
+        "OS keychain is configured but the age key could not be retrieved.\n  Falling back to environment variables / key file.\n  Run clef doctor for diagnostics."
+      );
+    }
   }
   if (process.env.CLEF_AGE_KEY) return { source: "env-key" };
   if (process.env.CLEF_AGE_KEY_FILE) return { source: "env-file" };
@@ -78873,7 +79071,10 @@ async function resolveAgePrivateKey(repoRoot, runner2) {
         const content = fs18.readFileSync(filePath, "utf-8");
         const match = content.match(AGE_SECRET_KEY_RE);
         return match ? match[1] : null;
-      } catch {
+      } catch (err) {
+        formatter.warn(
+          `Could not read age key file (CLEF_AGE_KEY_FILE=${filePath}): ${err instanceof Error ? err.message : String(err)}`
+        );
         return null;
       }
     }
@@ -78882,7 +79083,10 @@ async function resolveAgePrivateKey(repoRoot, runner2) {
         const content = fs18.readFileSync(credential.path, "utf-8");
         const match = content.match(AGE_SECRET_KEY_RE);
         return match ? match[1] : null;
-      } catch {
+      } catch (err) {
+        formatter.warn(
+          `Could not read age key file (${credential.path}): ${err instanceof Error ? err.message : String(err)}`
+        );
         return null;
       }
     }
@@ -78892,17 +79096,53 @@ function readLocalConfig(repoRoot) {
   const clefConfigPath = path20.join(repoRoot, CLEF_DIR2, CLEF_CONFIG_FILENAME2);
   try {
     if (!fs18.existsSync(clefConfigPath)) return null;
-    return YAML12.parse(fs18.readFileSync(clefConfigPath, "utf-8"));
-  } catch {
+    return YAML13.parse(fs18.readFileSync(clefConfigPath, "utf-8"));
+  } catch (err) {
+    formatter.warn(
+      `Failed to parse ${clefConfigPath}: ${err instanceof Error ? err.message : String(err)}
+  Credential resolution will proceed without local config.`
+    );
     return null;
   }
 }
 
+// src/clipboard.ts
+import { execFileSync } from "child_process";
+function copyToClipboard(text) {
+  try {
+    switch (process.platform) {
+      case "darwin":
+        execFileSync("pbcopy", { input: text, stdio: ["pipe", "ignore", "ignore"] });
+        return true;
+      case "win32":
+        execFileSync("clip", { input: text, stdio: ["pipe", "ignore", "ignore"], shell: true });
+        return true;
+      default: {
+        for (const cmd of ["xclip", "xsel"]) {
+          try {
+            const args = cmd === "xclip" ? ["-selection", "clipboard"] : ["--clipboard", "--input"];
+            execFileSync(cmd, args, { input: text, stdio: ["pipe", "ignore", "ignore"] });
+            return true;
+          } catch {
+            continue;
+          }
+        }
+        return false;
+      }
+    }
+  } catch {
+    return false;
+  }
+}
+function maskedPlaceholder() {
+  return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
+}
+
 // src/commands/get.ts
 function registerGetCommand(program3, deps2) {
   program3.command("get <target> <key>").description(
-    "Get a single decrypted value.\n\n  target: namespace/environment (e.g. payments/production)\n  key:    the key name to retrieve\n\nExit codes:\n  0  Value found and printed\n  1  Key not found or decryption error"
-  ).action(async (target, key) => {
+    "Get a single decrypted value.\n\n  target: namespace/environment (e.g. payments/production)\n  key:    the key name to retrieve\n\nBy default, the value is copied to clipboard and obfuscated on screen.\nUse --raw to print the plaintext value to stdout.\n\nExit codes:\n  0  Value found\n  1  Key not found or decryption error"
+  ).option("--raw", "Print the plaintext value to stdout (for piping/scripting)").action(async (target, key, opts2) => {
     try {
       const [namespace, environment] = parseTarget(target);
       const repoRoot = program3.opts().dir || process.cwd();
@@ -78921,7 +79161,17 @@ function registerGetCommand(program3, deps2) {
         process.exit(1);
         return;
       }
-      formatter.keyValue(key, decrypted.values[key]);
+      const val = decrypted.values[key];
+      if (opts2.raw) {
+        formatter.raw(val);
+      } else {
+        const copied = copyToClipboard(val);
+        if (copied) {
+          formatter.print(`  ${key}: ${maskedPlaceholder()} (copied to clipboard)`);
+        } else {
+          formatter.keyValue(key, val);
+        }
+      }
     } catch (err) {
       if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
         formatter.formatDependencyError(err);
@@ -79633,7 +79883,7 @@ async function fetchCheckpoint(config) {
 }
 
 // package.json
-var version = "0.1.6-beta.32";
+var version = "0.1.7-beta.45";
 var package_default = {
   name: "@clef-sh/cli",
   version,
@@ -79707,6 +79957,10 @@ function registerLintCommand(program3, deps2) {
       const matrixManager = new MatrixManager();
       const schemaValidator = new SchemaValidator();
       const lintRunner = new LintRunner(matrixManager, schemaValidator, sopsClient);
+      const cellCount = manifest.namespaces.length * manifest.environments.length;
+      formatter.print(
+        `${sym("working")}  Linting ${cellCount} file(s) across ${manifest.namespaces.length} namespace(s)...`
+      );
       let result;
       if (options.fix) {
         result = await lintRunner.fix(manifest, repoRoot);
@@ -80154,8 +80408,8 @@ init_src();
 import * as path31 from "path";
 function registerExportCommand(program3, deps2) {
   program3.command("export <target>").description(
-    "Print decrypted secrets as shell export statements to stdout.\n\n  target: namespace/environment (e.g. payments/production)\n\nUsage:\n  eval $(clef export payments/production --format env)\n\nExit codes:\n  0  Values printed successfully\n  1  Decryption error or invalid arguments"
-  ).option("--format <format>", "Output format (only 'env' is supported)", "env").option("--no-export", "Omit the 'export' keyword \u2014 output bare KEY=value pairs").action(async (target, options) => {
+    "Export decrypted secrets as shell export statements.\n\n  target: namespace/environment (e.g. payments/production)\n\nBy default, exports are copied to clipboard. Use --raw to print to stdout.\n\nUsage:\n  clef export payments/production             (copies to clipboard)\n  eval $(clef export payments/production --raw)  (injects into shell)\n\nExit codes:\n  0  Values exported successfully\n  1  Decryption error or invalid arguments"
+  ).option("--format <format>", "Output format (only 'env' is supported)", "env").option("--no-export", "Omit the 'export' keyword \u2014 output bare KEY=value pairs").option("--raw", "Print to stdout instead of clipboard (for eval/piping)").action(async (target, options) => {
     try {
       if (options.format !== "env") {
         if (options.format === "dotenv" || options.format === "json" || options.format === "yaml") {
@@ -80188,12 +80442,28 @@ Usage: clef export payments/production --format env`
       const decrypted = await sopsClient.decrypt(filePath);
       const consumption = new ConsumptionClient();
       const output = consumption.formatExport(decrypted, "env", !options.export);
-      if (process.platform === "linux") {
-        formatter.warn(
-          "Exported values will be visible in /proc/<pid>/environ to processes with ptrace access. Use clef exec when possible."
-        );
+      if (options.raw) {
+        if (process.platform === "linux") {
+          formatter.warn(
+            "Exported values will be visible in /proc/<pid>/environ to processes with ptrace access. Use clef exec when possible."
+          );
+        }
+        formatter.raw(output);
+      } else {
+        const keyCount = Object.keys(decrypted.values).length;
+        const copied = copyToClipboard(output);
+        if (copied) {
+          formatter.success(`${keyCount} secret(s) copied to clipboard as env exports.`);
+          formatter.hint("eval $(clef export " + target + " --raw)  to inject into shell");
+        } else {
+          if (process.platform === "linux") {
+            formatter.warn(
+              "Exported values will be visible in /proc/<pid>/environ to processes with ptrace access. Use clef exec when possible."
+            );
+          }
+          formatter.raw(output);
+        }
       }
-      formatter.raw(output);
     } catch (err) {
       if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
         formatter.formatDependencyError(err);
@@ -80215,7 +80485,7 @@ function parseTarget7(target) {
 }
 
 // src/commands/doctor.ts
-var YAML13 = __toESM(require_dist());
+var YAML14 = __toESM(require_dist());
 init_src();
 import * as fs20 from "fs";
 import * as path32 from "path";
@@ -80466,7 +80736,7 @@ function countAgeRecipients(sopsYamlPath) {
   try {
     if (!fs20.existsSync(sopsYamlPath)) return 0;
     const content = fs20.readFileSync(sopsYamlPath, "utf-8");
-    const config = YAML13.parse(content);
+    const config = YAML14.parse(content);
     if (!config?.creation_rules || !Array.isArray(config.creation_rules)) {
       return 0;
     }
@@ -80853,6 +81123,7 @@ function waitForEnter(message) {
     });
     rl.question(message, () => {
       rl.close();
+      process.stdin.pause();
       resolve6();
     });
   });
@@ -81402,6 +81673,9 @@ function registerServiceCommand(program3, deps2) {
                 `Invalid KMS provider '${provider}'. Must be one of: aws, gcp, azure.`
               );
             }
+            if (kmsEnvConfigs[envName]) {
+              throw new Error(`Duplicate --kms-env for environment '${envName}'.`);
+            }
             kmsEnvConfigs[envName] = {
               provider,
               keyId
@@ -81440,13 +81714,24 @@ function registerServiceCommand(program3, deps2) {
 `
         );
         if (Object.keys(result.privateKeys).length > 0) {
-          formatter.warn(
-            "Private keys are shown ONCE. Store them securely (e.g. AWS Secrets Manager, Vault).\n"
-          );
-          for (const [envName, privateKey] of Object.entries(result.privateKeys)) {
-            formatter.print(`  ${envName}:`);
-            formatter.print(`    ${privateKey}
+          const entries = Object.entries(result.privateKeys);
+          const block = entries.map(([env, key]) => `${env}: ${key}`).join("\n");
+          const copied = copyToClipboard(block);
+          if (copied) {
+            formatter.warn("Private keys copied to clipboard. Store them securely.\n");
+            for (const [envName] of entries) {
+              formatter.print(`  ${envName}: ${maskedPlaceholder()}`);
+            }
+            formatter.print("");
+          } else {
+            formatter.warn(
+              "Private keys are shown ONCE. Store them securely (e.g. AWS Secrets Manager, Vault).\n"
+            );
+            for (const [envName, privateKey] of entries) {
+              formatter.print(`  ${envName}:`);
+              formatter.print(`    ${privateKey}
 `);
+            }
           }
           for (const k of Object.keys(result.privateKeys)) result.privateKeys[k] = "";
         }
@@ -81581,6 +81866,109 @@ Service Identity: ${identity.name}`);
       process.exit(1);
     }
   });
+  serviceCmd.command("update <name>").description("Update an existing service identity's environment backends.").option(
+    "--kms-env <mapping>",
+    "Switch an environment to KMS envelope encryption: env=provider:keyId (repeatable)",
+    (val, acc) => {
+      acc.push(val);
+      return acc;
+    },
+    []
+  ).action(async (name, opts2) => {
+    try {
+      if (opts2.kmsEnv.length === 0) {
+        formatter.error("Nothing to update. Provide --kms-env to change environment backends.");
+        process.exit(1);
+        return;
+      }
+      const repoRoot = program3.opts().dir || process.cwd();
+      const parser = new ManifestParser();
+      const manifest = parser.parse(path38.join(repoRoot, "clef.yaml"));
+      const kmsEnvConfigs = {};
+      for (const mapping of opts2.kmsEnv) {
+        const eqIdx = mapping.indexOf("=");
+        if (eqIdx === -1) {
+          throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
+        }
+        const envName = mapping.slice(0, eqIdx);
+        const rest = mapping.slice(eqIdx + 1);
+        const colonIdx = rest.indexOf(":");
+        if (colonIdx === -1) {
+          throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
+        }
+        const provider = rest.slice(0, colonIdx);
+        const keyId = rest.slice(colonIdx + 1);
+        if (!["aws", "gcp", "azure"].includes(provider)) {
+          throw new Error(`Invalid KMS provider '${provider}'. Must be one of: aws, gcp, azure.`);
+        }
+        if (kmsEnvConfigs[envName]) {
+          throw new Error(`Duplicate --kms-env for environment '${envName}'.`);
+        }
+        kmsEnvConfigs[envName] = {
+          provider,
+          keyId
+        };
+      }
+      const matrixManager = new MatrixManager();
+      const sopsClient = await createSopsClient(repoRoot, deps2.runner);
+      const manager = new ServiceIdentityManager(sopsClient, matrixManager);
+      formatter.print(`${sym("working")}  Updating service identity '${name}'...`);
+      await manager.updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot);
+      formatter.success(`Service identity '${name}' updated.`);
+      for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
+        formatter.print(`  ${envName}: switched to KMS envelope (${kmsConfig.provider})`);
+      }
+      formatter.hint(
+        `git add clef.yaml && git commit -m "chore: update service identity '${name}'"`
+      );
+    } catch (err) {
+      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
+        formatter.formatDependencyError(err);
+        process.exit(1);
+        return;
+      }
+      formatter.error(err.message);
+      process.exit(1);
+    }
+  });
+  serviceCmd.command("delete <name>").description("Delete a service identity and remove its recipients from scoped files.").action(async (name) => {
+    try {
+      const repoRoot = program3.opts().dir || process.cwd();
+      const parser = new ManifestParser();
+      const manifest = parser.parse(path38.join(repoRoot, "clef.yaml"));
+      const identity = manifest.service_identities?.find((si) => si.name === name);
+      if (!identity) {
+        formatter.error(`Service identity '${name}' not found.`);
+        process.exit(1);
+        return;
+      }
+      const confirmed = await formatter.confirm(
+        `Delete service identity '${name}'? This will remove its recipients from all scoped files.`
+      );
+      if (!confirmed) {
+        formatter.error("Aborted.");
+        process.exit(1);
+        return;
+      }
+      const matrixManager = new MatrixManager();
+      const sopsClient = await createSopsClient(repoRoot, deps2.runner);
+      const manager = new ServiceIdentityManager(sopsClient, matrixManager);
+      formatter.print(`${sym("working")}  Deleting service identity '${name}'...`);
+      await manager.delete(name, manifest, repoRoot);
+      formatter.success(`Service identity '${name}' deleted.`);
+      formatter.hint(
+        `git add clef.yaml && git commit -m "chore: delete service identity '${name}'"`
+      );
+    } catch (err) {
+      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
+        formatter.formatDependencyError(err);
+        process.exit(1);
+        return;
+      }
+      formatter.error(err.message);
+      process.exit(1);
+    }
+  });
   serviceCmd.command("rotate <name>").description("Rotate the age key for a service identity.").option("-e, --environment <env>", "Rotate only a specific environment").action(async (name, opts2) => {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
@@ -81610,11 +81998,22 @@ Service Identity: ${identity.name}`);
       formatter.print(`${sym("working")}  Rotating key for '${name}'...`);
       const newKeys = await manager.rotateKey(name, manifest, repoRoot, opts2.environment);
       formatter.success(`Key rotated for '${name}'.`);
-      formatter.warn("New private keys are shown ONCE. Store them securely.\n");
-      for (const [envName, privateKey] of Object.entries(newKeys)) {
-        formatter.print(`  ${envName}:`);
-        formatter.print(`    ${privateKey}
+      const entries = Object.entries(newKeys);
+      const block = entries.map(([env, key]) => `${env}: ${key}`).join("\n");
+      const copied = copyToClipboard(block);
+      if (copied) {
+        formatter.warn("New private keys copied to clipboard. Store them securely.\n");
+        for (const [envName] of entries) {
+          formatter.print(`  ${envName}: ${maskedPlaceholder()}`);
+        }
+        formatter.print("");
+      } else {
+        formatter.warn("New private keys are shown ONCE. Store them securely.\n");
+        for (const [envName, privateKey] of entries) {
+          formatter.print(`  ${envName}:`);
+          formatter.print(`    ${privateKey}
 `);
+        }
       }
       for (const k of Object.keys(newKeys)) newKeys[k] = "";
       formatter.hint(
@@ -81628,11 +82027,25 @@ Service Identity: ${identity.name}`);
       }
       if (err instanceof PartialRotationError) {
         formatter.error(err.message);
-        formatter.warn("Partial rotation succeeded. New private keys below \u2014 store them NOW.\n");
-        for (const [envName, privateKey] of Object.entries(err.rotatedKeys)) {
-          formatter.print(`  ${envName}:`);
-          formatter.print(`    ${privateKey}
+        const partialEntries = Object.entries(err.rotatedKeys);
+        const partialBlock = partialEntries.map(([env, key]) => `${env}: ${key}`).join("\n");
+        const partialCopied = copyToClipboard(partialBlock);
+        if (partialCopied) {
+          formatter.warn(
+            "Partial rotation succeeded. Rotated keys copied to clipboard \u2014 store them NOW.\n"
+          );
+          for (const [envName] of partialEntries) {
+            formatter.print(`  ${envName}: ${maskedPlaceholder()}`);
+          }
+        } else {
+          formatter.warn(
+            "Partial rotation succeeded. New private keys below \u2014 store them NOW.\n"
+          );
+          for (const [envName, privateKey] of partialEntries) {
+            formatter.print(`  ${envName}:`);
+            formatter.print(`    ${privateKey}
 `);
+          }
         }
         for (const k of Object.keys(err.rotatedKeys)) {
           err.rotatedKeys[k] = "";
@@ -82100,6 +82513,189 @@ function formatReportOutput(report) {
   formatter.hint("Run clef lint or clef drift locally for details.");
 }
 
+// src/commands/install.ts
+var import_yaml = __toESM(require_dist());
+import * as fs26 from "fs";
+import * as path43 from "path";
+
+// src/registry/client.ts
+var DEFAULT_REGISTRY = "https://raw.githubusercontent.com/clef-sh/clef/main/brokers";
+async function fetchIndex(registryUrl = DEFAULT_REGISTRY) {
+  const url = `${registryUrl}/index.json`;
+  const res = await fetch(url);
+  if (!res.ok) {
+    throw new Error(`Failed to fetch registry index from ${url} (${res.status})`);
+  }
+  return await res.json();
+}
+async function fetchBrokerFile(registryUrl, brokerPath, filename) {
+  const url = `${registryUrl}/${brokerPath}/${filename}`;
+  const res = await fetch(url);
+  if (!res.ok) {
+    throw new Error(`Failed to fetch ${filename} from ${url} (${res.status})`);
+  }
+  return res.text();
+}
+function findBroker(index, name) {
+  return index.brokers.find((b) => b.name === name);
+}
+
+// src/commands/install.ts
+var TIER_LABELS = {
+  1: "self-expiring",
+  2: "stateful",
+  3: "complex"
+};
+function registerInstallCommand(program3, _deps) {
+  program3.command("install <broker>").description(
+    "Install a broker template from the Clef registry.\n\nDownloads broker.yaml, handler.ts, and README.md\ninto brokers/<name>/ in your project.\n\nExit codes:\n  0  Broker installed successfully\n  1  Error (broker not found, network failure, etc.)"
+  ).option("--registry <url>", "Custom registry base URL", DEFAULT_REGISTRY).option("--force", "Overwrite existing broker directory without prompting").action(async (brokerName, options) => {
+    try {
+      const repoRoot = program3.opts().dir || process.cwd();
+      const registryUrl = options.registry;
+      formatter.info(`Fetching ${brokerName} from registry...`);
+      const index = await fetchIndex(registryUrl);
+      const entry = findBroker(index, brokerName);
+      if (!entry) {
+        formatter.error(
+          `Broker "${brokerName}" not found in the registry. Run 'clef search' to list available brokers.`
+        );
+        process.exit(1);
+        return;
+      }
+      const brokerDir = path43.join(repoRoot, "brokers", entry.name);
+      if (fs26.existsSync(brokerDir) && !options.force) {
+        const overwrite = await formatter.confirm(
+          `brokers/${entry.name}/ already exists. Overwrite?`
+        );
+        if (!overwrite) {
+          formatter.info("Installation cancelled.");
+          process.exit(0);
+          return;
+        }
+      }
+      const files = [];
+      for (const filename of ["broker.yaml", "handler.ts", "README.md"]) {
+        try {
+          const content = await fetchBrokerFile(registryUrl, entry.path, filename);
+          files.push({ name: filename, content });
+        } catch {
+          if (filename === "handler.ts") {
+            try {
+              const content = await fetchBrokerFile(registryUrl, entry.path, "handler.js");
+              files.push({ name: "handler.js", content });
+            } catch {
+              formatter.warn(`Could not download handler file for ${brokerName}`);
+            }
+          }
+        }
+      }
+      if (files.length === 0) {
+        formatter.error(`Could not download any files for ${brokerName}`);
+        process.exit(1);
+        return;
+      }
+      if (!fs26.existsSync(brokerDir)) {
+        fs26.mkdirSync(brokerDir, { recursive: true });
+      }
+      for (const file of files) {
+        fs26.writeFileSync(path43.join(brokerDir, file.name), file.content, "utf-8");
+      }
+      const manifestFile = files.find((f) => f.name === "broker.yaml");
+      const manifest = manifestFile ? (0, import_yaml.parse)(manifestFile.content) : {};
+      formatter.print("");
+      formatter.print(`  ${sym("success")} ${entry.name}`);
+      formatter.print("");
+      formatter.keyValue("  Name", entry.name);
+      formatter.keyValue("  Provider", entry.provider);
+      formatter.keyValue("  Tier", `${entry.tier} (${TIER_LABELS[entry.tier] ?? "unknown"})`);
+      formatter.keyValue("  Description", entry.description);
+      formatter.print("");
+      formatter.section("  Created");
+      for (const file of files) {
+        formatter.print(`    brokers/${entry.name}/${file.name}`);
+      }
+      if (manifest.inputs && manifest.inputs.length > 0) {
+        formatter.section("  Inputs");
+        for (const input of manifest.inputs) {
+          const suffix = input.default !== void 0 ? ` (default: ${input.default})` : " (required)";
+          formatter.print(`    ${input.name}${suffix}`);
+        }
+      }
+      if (manifest.output?.keys) {
+        formatter.section("  Output");
+        formatter.keyValue("    Keys", manifest.output.keys.join(", "));
+        if (manifest.output.ttl) {
+          formatter.keyValue("    TTL", `${manifest.output.ttl}s`);
+        }
+      }
+      if (manifest.runtime?.permissions?.length > 0) {
+        formatter.section("  Permissions");
+        for (const perm of manifest.runtime.permissions) {
+          formatter.print(`    ${perm}`);
+        }
+      }
+      formatter.print("");
+      formatter.hint(`https://registry.clef.sh/brokers/${entry.name}`);
+      process.exit(0);
+    } catch (err) {
+      formatter.error(err.message);
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/search.ts
+function registerSearchCommand(program3, _deps) {
+  program3.command("search [query]").description(
+    "Search the Clef broker registry.\n\nWithout arguments, lists all available brokers.\n\nExit codes:\n  0  Results found or listing complete\n  1  Error fetching registry"
+  ).option("--provider <name>", "Filter by cloud provider (aws, gcp, azure, agnostic)").option("--tier <n>", "Filter by tier (1, 2, 3)").option("--registry <url>", "Custom registry base URL", DEFAULT_REGISTRY).action(
+    async (query, options) => {
+      try {
+        const index = await fetchIndex(options.registry);
+        let results = index.brokers;
+        if (query) {
+          const q = query.toLowerCase();
+          results = results.filter(
+            (b) => b.name.toLowerCase().includes(q) || b.description.toLowerCase().includes(q) || b.provider.toLowerCase().includes(q)
+          );
+        }
+        if (options.provider) {
+          results = results.filter((b) => b.provider === options.provider);
+        }
+        if (options.tier) {
+          results = results.filter((b) => b.tier === Number(options.tier));
+        }
+        if (results.length === 0) {
+          formatter.info("No brokers found matching your query.");
+          process.exit(0);
+          return;
+        }
+        const label2 = query || options.provider || options.tier ? `${results.length} broker${results.length === 1 ? "" : "s"} found` : `${results.length} broker${results.length === 1 ? "" : "s"} available`;
+        formatter.print(`
+  ${label2}
+`);
+        printBrokerTable(results);
+        formatter.print("");
+        process.exit(0);
+      } catch (err) {
+        formatter.error(err.message);
+        process.exit(1);
+      }
+    }
+  );
+}
+function printBrokerTable(brokers) {
+  const nameWidth = Math.max(...brokers.map((b) => b.name.length));
+  const providerWidth = Math.max(...brokers.map((b) => b.provider.length));
+  for (const b of brokers) {
+    const name = b.name.padEnd(nameWidth);
+    const provider = b.provider.padEnd(providerWidth);
+    const tier = `Tier ${b.tier}`;
+    formatter.print(`  ${name}  ${provider}  ${tier}  ${b.description}`);
+  }
+}
+
 // src/index.ts
 var VERSION = package_default.version;
 var program2 = new Command();
@@ -82155,6 +82751,8 @@ registerPackCommand(program2, deps);
 registerRevokeCommand(program2, deps);
 registerDriftCommand(program2, deps);
 registerReportCommand(program2, deps);
+registerInstallCommand(program2, deps);
+registerSearchCommand(program2, deps);
 program2.parseAsync(process.argv).catch((err) => {
   formatter.error(err.message);
   process.exit(1);